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This report documents a study of the historical safety and reliability trends of U.S. space launch 
vehicles from 1980 to 2015. The report contains three sections: a baseline survey of historical 
launch vehicle failure data, an interpretation of the survey data in terms of vehicle safety for 
crewed vehicles, and a summary of key findings and safety interpretations. The report is 
supplemented with three appendices with data tables and detailed descriptions of safety and 
reliability historical data for flights that experienced launch vehicle error. 


Introduction 


This study began as an investigation into the relative safety and reliability associated with launch 
propulsion technologies. Because the scope was general, and not limited to any specific launch 
architecture, it was impossible to make specific predictions about risk implications. As a result, 
the study became an assessment of the historical record, with the goal of extracting trends that 
are applicable at a general level. As many such surveys have been done before [1] [2] [3], the 
expectation was that the current effort would simply be an update that included flights since the 
previous historical summaries, with a specific emphasis on propulsion technology as a 
differentiator. 


As we went through the detailed failure reports, we quickly realized that using the traditional 
approach of counting failures that manifested in the propulsion systems was incomplete. Instead, 
the required support subsystems for a propulsion system must be considered as part of the 
propulsion system success rate. For example, a liquid rocket engine (LRE) requires the 
propellant management system to function, and failures in the propellant management are a 
reflection of the complexity of LRE systems. However, while tracking where the launch vehicle 
failures manifest is important, it does not in itself provide a complete picture. Conversely, 
considering failures at the vehicle level tends to be more about the heritage of the specific 
systems than the propulsion technology. For this reason, we consider historical failures of launch 
vehicle stages, as this is the lowest level that contains the propulsion system and its support 
subsystems. 


By considering failures at the stage level, we also identify key interactions that can lead to 
failures. These interactions not only broaden the scope of propulsion system robustness, but also 
provide additional insight into the proximate causes of launch vehicle failures in general. 


Ultimately we would also like to understand the implications of propulsion system reliability on 
crew safety. Since the vast majority of launches are for cargo missions, a direct assessment of 
accidents and crew safety is under-supported by data. However, by considering the interactions 
between the failure-initiating system and the ultimate manifestation of the failure, some 
rudimentary inference can be made. 


The following sections discuss the historical study in detail. The launch data was examined to 
specifically test whether, historically, propulsion technology choices drive launch system risk. 
The data was processed per launch vehicle stage, where by definition a stage could consist of 
only a single propulsion technology. Results are aggregated in terms of gross failure trends as a 
functions of successive stage attempts. The data is then presented in terms of the underlying 
causes associated with the failures. Interactions between failure initiation and manifestation are 
then presented, broken down by the different propulsion technologies. Finally, the failures are 


discussed in terms of the potential implications for similar failures on crewed missions. All of the 
historical data sources were extensively cross-referenced to ensure consistency. However, some 
interpretation is often required for classifying failures into meaningful groups, and we have taken 
steps to identify the assumptions made. The raw data is included in Appendix B so the reader can 
form their own conclusions for assumptions aligned with their own needs. 


Section 1: Historical Launch Vehicle Survey 


This section presents an overview of the present historical launch vehicle survey, covering the 
survey methodology, the survey data, and the role of vulnerabilities and subsystem interactions. 
Because the records and failure investigation reports of non-U.S. launches are much less 
accessible and complete than their U.S. counterparts, this survey was limited to domestic 
missions. 


1.1 Methodology 


Launch vehicle and space launch flight and failure data were collected from multiple public 
sources [4] [5] [6] [7] [8] and compared, cross-referenced, and reconciled for discrepancies. 
Since no single data source had all the information needed or was found to be significantly more 
reliable than the others in reporting flight status, whenever there were disagreements, details 
appearing in the largest number of independent sources were used. One day differences in launch 
dates were not resolved. The resulting flight manifest database combines the collective 
information from all of these sources. 


The database generated from this study contains all domestic orbital launches between 1980 and 
2015 (inclusive), including failure data for launches that either failed to reach the intended orbit 
(too low or too high), achieved the intended orbit but not as originally planned (short first or 
second stage burns compensated by enough upper stage or satellite margin), or delivered a 
damaged payload. Many sources would consider some of these latter launches to be successes, 
especially if some mission objectives were met. In this study, all of them were included in the 
database as a way of tracking the frequency of launches that resulted in contingency activities 
(close calls or successfully mitigated cases). Thus, “failure” in this document refers to any flight 
that experienced a documented off-nominal event, even if the event was successfully mitigated. 
Scrubbed flights were not included. Appendix B consists of two tables that summarize the data 
for the failure fields for each flight included in this report. 


In addition to the launch date and vehicle name, all flights in the flight manifest database contain 
the following fields: 


e Launch status — Launch status is the commonly encountered success-fail field for a flight, 
but with more information about the flight’s failure element and/or severity. The values of 
this field are: 


e success = a successful flight without documented incident, 
e latent error =a successful flight with anomalous events that did not manifest as 
issues during flight, e.g. tile damage on Space Shuttle, 


e minor error =a successful flight with completed mission objectives but not 
without incident, 

e post-separation error = a successful flight but with an error by the payload 
spacecraft itself following deployment, that was not caused by the launch vehicle, 
and 

e launch vehicle error = a flight with a launch vehicle error or anomaly leading to a 
failure to correctly deliver all payloads to their proper orbits, or a flight that 
damaged the payload during ascent or separation. In this database, failure to 
properly deliver all payloads, even if the error was successfully mitigated by the 
satellite, is considered a loss-of-mission (LOM) event. 


e Stage type — Additional fields that indicate the type of propellant for each stage in a 
launch system, one type per stage (numbered 0-5). Valid stage type values are solid, 
liquid, or aircraft (for the air-launched Pegasus vehicle). Strap-on boosters, regardless of 
number, are treated collectively as a single stage. Strap-on boosters and aircraft are listed 
as “Stage 0” in this database. 


e Vehicle type — A field indicating whether the launch vehicle was configured with solid 
stages only, liquid stages only, or a combination of both types of stages. Solid strap-on 
boosters were included as a solid stage in the vehicle type, while aircraft, in the case of 
air-launched launch systems, were excluded as a stage for the vehicle type. 


e Payload orbit achieved — A field indicating whether the payload(s) reached the correct 
target orbit(s), including any mitigation by the payload. For missions with multiple 
payloads, the least successful target orbit reached is tracked. Values for this field include: 
failed to orbit, reached an unintended orbit, or reached the final intended orbit. 


For flights that encountered a launch vehicle error, additional failure-specific fields were 
included that could be used to mine for trends beyond the commonly encountered demonstrated 
launch vehicle reliabilities. Launches with post-separation failures were excluded as they were 
not considered to be launch vehicle ascent incidents. Also not included in the vehicle failure- 
specific database were the flights with minor errors or latent errors. Many of the flights with latent 
errors involved the Space Shuttle and resulted in foam insulation, blanket, and tile damage 
discovered after a successful mission. The flights with post-separation or minor errors often 
show up in other sources as spacecraft or launch vehicle failures and, for completeness, are listed 
in Table A-1 in Appendix A. Appendix A also includes short descriptions of a number of flights 
with notable anomalous events during ascent, but were not included in the failure database 
because they did not fit the formal failure definition. 


The failure-specific database fields for flights with launch vehicle errors include: 


e Failure class — A high-level classification of the failure source. Valid values are design, 
process, weather, or unknown. The classification of process or design was based on the 
corrective actions recommended in the accident investigation reports and whether the 
primary recommendations involved a procedural or design change. Although multiple 
failure classifications were reasonable to describe the launch errors in a few cases, a rule 
to choose only one was observed, which introduces some uncertainty to the compiled 
data. Process failures include: manufacturing errors, assembly errors, quality assurance 


errors, repair errors, and software errors. Design flaws include unexpected flight 
conditions resulting from a lack of understanding of the physical phenomena encountered 
by the launch vehicle, such as aerodynamics, temperature, vibrations, fluid dynamics, and 
corrosion. Weather failures were launch errors externally induced by weather conditions. 
Flights whose failure source was not identified by the investigation board, or whose 
investigation documentation was not found were classified as unknown failures. 


Failed stage type — The type of the stage where the failure initiator occurred, either solid 
stage, liquid stage, or staging, if the error occurred during a separation event between two 
stages, while jettisoning boosters or fairings, or during payload deployment. 


Failed stage number — The failed stage number indicates when during flight the 
initiating error occurred. Strap-on boosters are labeled as “Stage 0.” Failures that 
occurred during staging were assigned the stage number of the stage that initiated the 
error, or the stage operating nearest the event (as in fairing jettison events). Failures that 
occurred during payload deployment are listed with failed stage number 5. 


Initiating subsystem — The subsystem where anomalies were first detected. The 
subsystems were split into the following categories: engine/motor; avionics (software and 
electronics); main propulsion system (MPS), namely the propellant management system 
consisting of propellant tanks, feed lines, and regulation/pressurization tanks and systems 
external to a liquid engine itself; guidance, navigation, and control (GNC); structures; 
staging systems; thermal protection systems (TPS); and unknown, which was used when 
the initiating subsystem was not identified. This categorization approach separates the 
MPS from the engine itself in order to differentiate propellant management issues from 
engine-specific failures. 


Manifesting subsystem — The subsystem where the anomalies manifested themselves as 
an obvious flight problem (i.e. an error initiates in the avionics subsystem which 
momentarily triggers a loss of power and manifests in the engine as an inadvertent engine 
shut down leading to a LOM). 


Initial manifestation type — The localized failure state of the vehicle resulting from 
failure. These conditions represent the initial conditions of failure propagation from the 
manifesting subsystem to other elements/stages of the launch vehicle architecture. 
Examples include loss of control, explosion, low thrust, propellant leak, case breach, 
case burst, and unknown. See Section 2.3, Table 4 for the full list of initial manifestation 


types. 


Manifestation class — A high-level classification of the initial manifestation type 
(contained, uncontained, loss of control), useful in identifying the potential of a failure 
event to propagate into a full vehicle failure. See Section 2.3 for detailed information on 
these classes. 


Launch Vehicle Demise — This classification categorizes the propagation mode by 

which the failure manifestation evolves into destruction of the vehicle during the ascent 
phase. Valid values for launch vehicle demise are: Environment (propagation to demise 
as result of the environments produced by the failure), Loss of Function (demise results 


from loss of critical functionality, e.g., loss of control), or None (no ascent phase 
breakup). See Section 2.4 for more details. 


1.2 Historical Survey: Launch Vehicle Configuration Summary 
Table 1 lists the stage configurations of all the launch vehicles flown from 1980 to 2015. 


Table 1. U.S. Launch vehicle configuration summary, 1980 — 2015. 


Launch Vehicle StageO | Stage 1 | Stage2 | Stage3 | Stage 4 Liquid | Solid | Grand 
Family Type Type Type Type Type Combo only only Total 
Antares None Liquid Solid None None 5 5 
Athena None Solid Solid Liquid None 4 4 
Solid Liquid 3 3 
Atlas None Liquid Liquid None None 67 67 
Solid None None 26 26 
Solid None 7 7 
Solid Liquid Liquid None None 30 30 
Atlas-5 None Liquid Liquid None None 36 36 
Solid Liquid Liquid None None 24 24 
Castor-4/ 
Conestoga 1620 None Solid Solid Solid Solid 1 1 
Delta-4 Liquid Liquid Liquid None None 8 
None Liquid Liquid None None 3 3 
Solid Liquid Liquid None None 19 19 
Falcon-1 None Liquid Liquid None None 5 5 
Falcon-9 None Liquid Liquid None None 20 20 
Minotaur None Solid Solid Solid Solid 7 7 
Minuteman None Solid Solid Solid Solid 8 8 
Pegasus Aircraft Solid Solid Solid Liquid 8 8 
None 34 34 
Scout None Solid Solid Solid Solid 17 17 
Space Shuttle Solid Liquid None None None 135 135 
Strypi None Solid Solid Solid None 1 1 
Taurus None Solid Solid Solid Solid 
Thor/Delta None Liquid Solid Solid None 1 1 
Solid Liquid Liquid None None 71 71 
Solid None 121 121 
Titan None Liquid Liquid Liquid None 10 10 
None None 6 6 
Solid None 7 7 
Solid Liquid Liquid Liquid None 26 26 
None None 31 31 
Solid Solid 9 9 
Zenit-3SL None Liquid Liquid Liquid None 36 36 
Grand Total 527 191 77 795 


There were 795 domestic orbital flights, including 36 Zenit flights launched from Sea Launch’s 
floating launch platform (Sea Launch is a multinational consortium with U.S. membership). 


Zenits not operated by Sea Launch were excluded from the survey. Among the flights listed in 
Table 2, 66% used both liquid and solid propulsion stages, while 24% used only liquid engine 
stages and 10% used only solid motor stages. 


Table 2 summarizes the entire 795-flight history by vehicle family, launch status, and payload 
orbit achieved. Of the 52 flights with launch vehicle errors, 31 failed to place their payloads into 
orbit, 13 reached an unintended orbit, and 8 reached the intended orbit but not as planned or with 
payload damaged by the launch vehicle during ascent. The Space Shuttle Columbia failure of 
2003 is one of the 8 flights in this category. These 52 flights are the focus of this survey. 
Appendix C contains a brief description of the major events that occurred in each of these flights. 


Table 2. U.S. launch vehicle accident status summary, 1980-2015. 
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Figure | shows the total number of flights per year by each launch vehicle type. Although 
vehicles using both propulsion types were the most common configuration during most years, 
liquid-only vehicles were more prevalent in the last four years. 


U.S. Launch Vehicle Configuration by year 
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Figure 1. Historical launch vehicle configurations by year. 


Table 3 contains the breakdown of launches and launch status by vehicle type and number of 
stages of a given type. The demonstrated probabilities at the 5“, 50", and 95" percentiles of fully 
successful flights are listed for each launch configuration, assuming a beta distribution for the 
probability of success. Launch vehicles employing both solid and liquid stages appear to be more 
reliable than vehicles using a single propulsion type. However, this conclusion adds little insight 
into possible differences between the two propulsion technologies since these vehicles employed 
both propulsion technologies in almost equal numbers (56% of the total number of stages used in 
the combined type vehicles were liquid stages and 44% were solid stages). Although the median 
demonstrated reliability of liquid-only vehicles is greater than the reliability of solid-only 
vehicles, the demonstrated reliability ranges of liquid-only and solid-only vehicles have 
significant of overlap. 


Table 3. Launch vehicle reliability rates, by vehicle configuration. 


Launch Launch vehicle Total # liquid | Total # solid 
Launch Vehicle Total reliability stages in stages in 
Configuration Errors Flights | 5*-50*-95" percentile | configuration | configuration 
Combined 25 527 94-95-97% 891 700 
Liquid only 17 191 87-91-94% 436 0 
Solid only 10 77 80-87-93% 0 274 
Grand Total 52 795 92-93-95% 1327 974 


Figure 2 shows the distribution of launch vehicle errors by failure class. About half of all 
historical launch vehicle errors can be attributed to process errors, and about a third can be 
considered design errors. It is unclear if process errors are larger because they are inherently 
more difficult to manage, or if they are easier to implement as a corrective action than design 


changes. 


Launch Vehicle Errors by Failure Class 
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Figure 2. Historical launch vehicle errors by failure class. 


Figure 3 plots the same launch vehicle error data as a cumulative trend over time. Unknown 
failures reached a plateau after 2002, likely due to better investigation reporting and availability 
of documentation. Weather-related failures plateaued after 1996, likely due to stricter launch 
commit criteria and improved weather predictions. Process-based errors occurred most often, 
followed by design-based errors. The design- and process-based errors occurred at a relatively 
constant rate throughout the survey timeframe. That is, no obvious maturity growth for these root 
causes was observed. While this constant failure rate is consistent with random failure, it is more 
likely due to the wide variation of launch vehicles included in the study. The subsystem 
components and flight profiles of vehicle families received continual updates, essentially 
rendering the individual vehicles as dissimilar systems. Maturity growth curve analysis requires 
the isolation of specific vehicles or launch capabilities and falls outside the scope of this report. 
Launch vehicle maturity growth remains an area of active research [9] [10] [11]. 
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Figure 3. Historical launch vehicle errors by failure class, 1980 — 2015. 


1.3 Historical Failure Study: Stage-based Approach 


This section describes the present study’s examination of flights with launch vehicle errors, in 
which the stages and the types of propulsion involved in the errors were identified. To facilitate 
direct comparisons among propulsion technologies, the stage type in which the flight error 
occurred is tracked instead of vehicle type. Since staging failures occur at the interface between 
two vehicle stages, the total number of staging events is assumed to be the sum of all stages and 
labeled as a “staging/deployment” stage type. Among the 795 flights in the entire launch history, 
a total of 1,327 liquid stages and 974 solid stages (605 of which were strap-on “stages”) were 
flown, for an overall ratio of 58%/42% liquid/solid stages. Much of the remainder of this report 
focuses on assessments of reliability at the stage level. 


To investigate the relationship between flight errors and the types of propulsion systems 
involved, stage failure rates of flights with vehicle errors, broken down by payload orbit 
achieved, are plotted in Figure 4. The staging failure rate is defined as the ratio of staging 
failures to total staging events (equivalent to the sum of all flight stages, or 2301). Liquid stage 
failures occur most frequently (2.1le-2 failures per liquid stage), followed by solid stage failures 
(1.2e-2 failures per solid stage), and staging failures (5.0e-3 failures per staging event). 


The results above appear to contradict the results from Table 3, which indicated that liquid-only 
vehicles exhibited a higher demonstrated reliability than solid-only vehicles. However, about half 
of the flight errors occurred on vehicles configured with both types of propulsion stages. Hence, 
the failed propulsion type is not explicitly identified when using the vehicle-level splitting of the 
data. Many of the errors on the combination vehicles, in fact, did occur in a liquid stage. 


Separation errors between two vehicle stages appear to occur most infrequently, but the total rate 
of encountering a staging failure is closer to 1.5e-3 failures per flight because a typical flight has 
multiple staging events. 


Figure 4 also shows the percentage of failed stages broken down by payload orbit achieved. The 
final orbit achieved may be used as a proxy for assessing the severity of a failure or a rough 
approximation of when the error occurred in a flight. While the total percentage of errors differ 
by propulsion stage type, the percentage of stages that do not reach any orbit is about equal (1%) 
for liquid and solid stage types. 


About half of the flights with liquid stage failures delivered payloads that still reached some 
orbit. Solid stage failures, on the other hand, often led to payloads that failed to reach orbit. This 
result suggests that liquid stage failures tend to occur later in flight, or are more benign and 
mitigable than solid stage failures. Because most of the missions involved satellite or cargo 
deliveries, many of the launches involving solid stage failures were intentionally terminated for 
safety reasons, further supporting the suggestion that these failures tend to happen earlier in 
flight or are more catastrophic. The low orbital success rate following solid stage failures 
suggests certain implications for the safety of crewed vehicles, if one may extrapolate the results 
of this analysis primarily expendable launch vehicles. The implications of the ultimate demise of 
the failed flights on the safety of crewed vehicles versus cargo vehicles are described later in this 
document. 
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Figure 4. Stage-wise failure percentages for U.S. launches between 1980-2015. 


The stages and failed stage types of the 52 flights with errors are summarized in Figure 5. Each 
launch vehicle configuration is represented by a column of stacked bars: blue for solid stages, red 
bars for liquid stages, and green for air-launched stages. The stacked bars start with “Stage 0” for 
strap-on boosters or aircraft and increase up through all stages. The launch vehicle family and 
launch date are listed on the horizontal axis, and are grouped by vehicle type. The failed stage is 
marked by a diamond. If a payload failure occurred during or after deployment, the diamond is 
placed in “Stage 5.” If a staging failure occurred (including fairing jettison errors occurring near 
other stage separation events), the diamond is placed between the appropriate stages. The 
manifestation class of the failure is indicated by the shading of the diamonds: black for 
uncontained, grey for loss of control, and white for contained failures. Propulsion system failures 
(motor/engine or MPS) are marked by diamonds outlined in yellow. 


The interpretation of a few launches in the flight error data of Figure 5 are as follows. For 
example, the Atlas failure that occurred on 12/9/1980 was configured with one liquid and one 
solid stage and no strap-on boosters. A propulsion failure occurred during the first stage burn and 
resulted in a loss of control failure. In another example, the Taurus launch on 2/10/1998 has 
conflicting and sparse details surrounding the flight. For this case, the diamond is placed on the 
horizontal axis, marking no particular failed stage or staging event. Little information on the 
incidents surrounding the 8/1/1997 Pegasus and 11/3/2015 Super Strypi flights was found at the 
time of writing, therefore the manifestation class for these flights are “unknown” and marked 
with an asterisk. 


A number of observations can be drawn from Figure 5. Five flights encountered issues with the 
strap-on boosters (all solid motors), 19 flights encountered issues during the first stage burn (4 on 
solid stages, 15 on liquid stages), and 14 others after the first stage burn (2 on solid stages, 12 on 
liquid stages). Just over half (52%) of the liquid stage failures occurred during the first stage 


10 


burn, while the majority (82%) of the solid failures occurred during first stage burn, which 
includes Stage 0 strap-on boosters, where solids are commonly employed. Consistent with an 
earlier observation, solid stage errors are found to occur earlier in flight than liquid stage errors. 
Of the 12 staging event failures, one occurred during SRB jettison and three during payload 
deployment. Of the remaining 8 staging event failures, 6 (75%) occurred between two solid 
stages and 2 (25%) occurred between two liquid stages. 
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1.4 Stage-based Error Trends by Failure Class 


Figure 6 shows the historical trend of all flight anomalies by failure class, similar to Figure 3, but 
separated by failed stage type. Stages and staging events were counted each year so that the rates 
of solid, liquid, and staging anomalies could be compared as functions of stage experience rather 
than as functions of the year flown for developing safety and reliability trends. The vertical 
dotted lines separate the decades, just as a point of reference. 


U.S. Launches with Liquid Stage Anomalies 1980-2015 U.S. Launches with Solid Stage Anomalies 1980-2015 
£, 1980s | 1990s 2000s | 2010s £, 1980s | 1990s 2000s ‘2010s 
t i ' i 3 ' ‘ 
2 ! SS 
; a Es 
: oe : : ? 
: ' i he ‘ — OD ne 
oe ee ——we ee x ponh—o-e + + 
=| mand ' ' ' ~ ¢ @ee-oo tenes SM & ‘ i 


a) we me a 220 20 2 x vo x aa 
Curnulative number of liquid stages flown Cumulative number of solid stages flown 


werdesg prone einhnows | -westhes mtetinign =@eprocess =eunhroee =<S-westher 


a) Liquid stages b) Solid stages 


U.S. Launches with Staging Anomalies 1980-2015 


1980s | 1990s | 2000s 2010s 


Cumedative number of staprg anomalies 


c) Staging events 


Figure 6. Failure class trends by failed stage type. 


Figure 6a shows that liquid stage anomalies stemming from design and process errors have not 
reached a plateau and that process-related causes dominate the observed flight anomalies. The 
constant growth of the process-related errors may indicate that either the complexity of liquid 
propulsion stages continues to be difficult to manage or that these stages are more frequently 
used to meet higher, more challenging mission demands. Design-related errors exhibit a similar 
trend, with anomalies continuing to occur throughout the liquid stage experience, but with some 
plateauing occurring in the 1990s and early 2000s. Unknown and weather-related errors 
comprise only a very small fraction of liquid stage anomalies. 


Figure 6b shows that solid stage anomalies appear to have reached a plateau with only one error 
since 2001. Unknown error classifications, which arise generally from a lack of launch failure 
documentation, were observed more often in solid stage failures than liquid stage or staging 
failures. 
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Figure 6c shows that staging/deployment event anomaly trends resemble solid stage anomaly 
trends in all areas except recent (post-2007) design errors. 


1.5 Vulnerabilities and System-System Interactions 


All Failures 


The results of the current survey are consistent with previous studies [12] [13], which have 
shown that that most launch vehicle failures manifest in a propulsion system. Figure 7 
categorizes the flights with launch vehicle errors by the manifesting subsystem of each failure. 
Propulsion failures, which include both engine/motor failures and MPS failures, were 
responsible for 46% of the failed flights. 


Overall manifesting subsystem errors 


structure FPS 
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unknown — 
6% = \ 
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Figure 7. Manifesting subsystem failures over all launches. 


To understand how problems develop in launch vehicles, it is useful to know where the first signs 
of off-nominal behavior begin and how these problems propagate through the launch vehicle. 
Figure 8 shows the relationship between the initiating and manifesting subsystems in the flights 
with launch vehicle errors. A given cell contains the number of launches with that combination of 
initiating-to-manifesting subsystems. For example, of the 23 engine and motor manifesting 
failures (column 1), 10 originated within the engine or motor itself and 14 originated elsewhere 
(9 in the MPS, 3 in avionics, and | in GNC). 


Stacked bar charts in Figure 8 illustrate the relationship between initiating and manifesting 
subsystems in the launch failures using the failure tallies in the figure matrix. The stacked bars to 
the right the figure matrix show the number of launch failures by initiating subsystem in which 
the manifesting and initiating subsystem are the same (on matrix diagonal) in tan and different 


14 


(off-diagonal) in pink. The stacked bars below the figure matrix show the number of launch 
failures by manifesting subsystem in which the manifesting and initiating subsystem are the same 
(on matrix diagonal) in grey and different (off-diagonal) in blue. 


The stacked bar charts show that while most vehicle failures do evolve into propulsion failures, 
the initiating subsystems leading to the failure are not limited to issues within the engine/motor 
itself, but rather also stem from propellant management (MPS), avionics, and GNC initiators. This 
suggests that an engine/motor subsystem tends to be tightly coupled to other subsystems, 
rendering it prone to causing launch failures at rates higher than the rate its inherent subsystem 
reliability would indicate. The tightly-coupled interactive relationships between the subsystems 
in the launch vehicles play a large role in the overall failures of the vehicles, as demonstrated by 
the relatively large number of failures that are not initiated and manifested in the same subsystem 
(i.e., given the sizes of the pink and blue bars relative to the tan and grey bars, respectively). 
Among all of the initiating subsystem errors, avionics, and MPS errors propagate to and manifest 
failures in the most other subsystems. Engine/motor, GNC, and staging functions are relatively 
sensitive to failures in other subsystems. 


Figure 8. System interactions matrix for all failed flights. 
By Failed Stage Type 


Similar dependency matrices for flight failures grouped by failed stage type reveal differences 
between the interactive subsystem dependencies of liquid and solid stages (Figure 9). The 
failures associated with staging, isolated in Figure 9c, show that over half of the staging errors 
originated in other subsystems (engine and motor or avionics). For flight failures involving liquid 
engine stages (Figure 9a), two-thirds of the flight errors were manifested in the engine, with the 
primary initiators occurring in three different subsystems (engine/motor, MPS, and avionics). 
Nearly half of the engine-manifesting failures originated in the MPS. For solid stages (Figure 
9b), the failures remained localized to the error source, rather than propagated to other 
subsystems. This dominance in subsystem failure propagation by liquid propellant stages reflects 
a complex interdependence among liquid stage subsystems, especially between engine and 
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propellant management systems, and is consistent with the prevalence of process-based 
anomalies in liquid propulsion stages (Figure 6). 
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c) Staging events 


Figure 9. Interactions matrix by failed stage types. 
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Section 2: Historical Safety Study 


Vehicle safety implications from the historical launch vehicle survey data presented in the 
previous section are assessed in this section. Because the historical data contains only one 
vehicle designed for human spaceflight, namely, the Space Shuttle, limited data exists which 
may be used directly for safety and ascent abort assessments. However, data relevant to crew 
safety may still be inferred by examining the much larger set of accidents of cargo flights. 
Ascent failures of all launch vehicles, whether crewed or cargo, can be characterized with a 
small set of attributes, such as the extent of the propagation of the failure, the initial 
manifestation of the failure, and the ultimate demise of the launch vehicle during ascent. These 
characteristics provide insight into the types of failure environments to which an abort system for 
a crewed vehicle would be subjected. Using the historical data to extrapolate for categorical 
differences in vehicle demise leads to an understanding of the timeframes typically encountered 
immediately after an ascent failure and offers qualitative guidance to the amount of time in 
which an abort system would be required to respond. This section extends the historical launch 
vehicle failure data and discusses the distinction between reliability and safety, the key factors 
that would affect crew safety, and the manifestations of failures. 


2.1 Reliability vs. Safety 


The assessment of a launch system’s safety begins with the launch system’s reliability, which is 
obtained from a system-wide consolidation of component reliabilities, and continues with the 
analysis of the consequences of the system’s failures. One might intuitively expect that a more 
reliable vehicle would also be a safer vehicle and, were there sufficient data, there would likely 
be a strong correlation between reliability and safety. The presence of an abort system designed 
to safely return the crew in the event of failure, however, makes such a correlation less than 
perfect. That is, one could conceive a situation in which one launch vehicle tends to experience 
infrequent failures but failures of types that create difficulties for the abort system, relative to 
another vehicle that fails more frequently but more benignly. Essentially, the distinction between 
reliability and safety assessments then lies in the additional attention paid, in the case of a safety 
assessment, to failure consequences and their impact on the ability of the abort system to perform 
its mission. 


In most cases, the effects of a failure early in its propagation will not directly threaten the crew. 
In cases when the crew is not threatened by the environment directly produced by the localized 
manifestation of the failure, a crew-threatening environment may still result from the subsequent 
propagation of the failure through the vehicle via the transfer of material and/or energy until a 
vehicle-level energy release is produced, i.e., energy release directly causing demise of the 
vehicle or a vehicle stage. A safety assessment involves characterizing the types of environments 
that could be created by the various failure modes, and quantifying the impact of the end state 
environments on the ability of a crew module to successfully abort. Essentially, one would like 
to answer the following questions: 


e What type of end-state environments (e.g., explosion) will be generated, given a specific 
type of failure? 
e Will the crew be able to survive the end-state environments? 
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The historical launch survey data cannot directly address the second question due to the lack of 
U.S. launch failures involving crewed flights with launch abort systems. To some extent, the 
historical launch failure data can address the first question pertaining to failure propagation, 
although the use of flight termination systems to destroy failing launch vehicles complicates the 
analysis. Engineering judgment is used to fill in the gaps and extrapolate, as necessary, to 
provide a crude assessment of failure propagation patterns in the launch vehicle failure historical 
record. The accident information is interpreted in a manner to best characterize the vehicle state 
at loss of mission (LOM) and the way in which this state evolves to vehicle demise. These two 
failure propagation states provide an important framework for analyzing crew safety. 


A brief overview of the factors affecting crew safety is provided, followed by results of the 
historical safety study. 


2.2 Factors Impacting Crew Safety 


A complete assessment of the crew safety for a launch vehicle would need to consider the crew’s 
exposure to risks in three main phases of an abort: 


1. Near-field — Immediately before and after abort initiation, the crew module and escape 
system must survive any environment generated by the launch vehicle failure. For 
example, a launch vehicle explosion will generate a blast overpressure wave, a debris 
field, and radiant heating or a fireball environment. The relative risks of these 
environments are dependent upon the launch vehicle design, especially the types of 
propulsion systems employed. 


2. Mid-field — Depending on the ascent trajectory and mission elapsed time of the failure, 
the abort system may be subject to dynamic pressure regimes in which maneuverability 
may be limited. Under these conditions, relative ballistics of the launch vehicle and abort 
system may also allow the launch vehicle (or its debris field) to catch up to the crew 
module following its successful escape from the near-field failure environments. 


3. Far-field — During high-altitude service module aborts in which parts of the abort 
trajectory are exo-atmospheric, the crew may be exposed to risks associated with: a) high 
g-loading and/or heating associated with off-nominal entry conditions, b) insufficient 
time-of-freefall prior to atmospheric entry in which to perform any pre-entry maneuvers 
and maintain separation between potential collision hazards, and c) inability to reach a 
landing location from which the crew can be reliably rescued. 


The present study is limited to consideration of the risks in the near-field phase, due to 
dependence of these risks on the specific launch vehicle architecture and type of propulsion 
systems employed. 


Near-Field Environments from Solid Stages 


Solid stages are generally Class 1.3 detonation hazards, which means that they will not detonate 
unless subjected to extreme impact pressure. Therefore, risks to crew during flight are due to the 
overpressure wave associated with the rapid release of contained pressure and a debris field 
comprised of the stage hardware and propellant. These risks will tend to increase with MET as 
the internal empty volume (i.e., the volume not occupied by propellant) increases, but vehicle 
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velocity and altitude tend to mitigate the propagation of these types of blasts. Evidence from 
observations of failures of solid propellant stages indicate that the debris field generated is of 
sufficient density and energy to endanger a nearby crew module. 


Near-Field Environments from Liquid Stages 


Liquid stages can produce near-field overpressure waves from detonation of propellant mixtures 
within the confines of the stage (defined as a confined-by-missile explosion), deflagration of 
propellants released into the atmosphere, or detonation of clouds of propellants partially 
contained by the ground in the case of pad explosions. Detonation pressures can be orders of 
magnitude larger than deflagration pressures near the center of the explosion. The specificity of 
the conditions required for a detonation to occur makes these events fairly unlikely; however, 
they must be considered given the severity of the environments they create. 


Internally generated explosions (or confined-by-missile explosions) will likely create a debris 
field that can pose a risk to the crew. There are no known occurrences in the historical record 
involving confined explosions of this type, but data from designed tests [14] indicate the 
potential for high velocity fragments from such events. Pressurized tank bursts and explosion of 
propellants released following structural failure, in combination with aerodynamic forces, will 
likely produce fragments, but with lower imparted velocities than those produced by the high 
detonation pressures and extreme strain rates from confined explosions. 


Liquid stage failures while the vehicle is on the launch pad will produce fireballs capable of 
generating a high heating environment hundreds of meters from the launch site. This heating 
environment is unlikely to pose a risk to the metallic structure of the crew module during abort, 
but may cause failure of deployed parachutes, creating risk to the crew. 


Other Factors 


Another factor affecting overall probability of abort success, especially from loss-of-control 
scenarios, is the vehicle’s structural limitations. The ability of the structure to withstand off- 
nominal attitudes and rates, in combination with other design parameters such as trajectory, 
dynamic pressure, vehicle mass properties, and gimbal authority, is an important determinant in the 
amount of time the abort system may be given to escape prior to breakup (assuming an effective 
vehicle stability monitoring system). While these sub-systems are not part of the propulsion 
system per se, structural requirements will clearly depend on the type of propulsion system 
selected. Characterization of the details of this dependence, however, is beyond the scope of the 
present study. 


Finally, failure of any launch vehicle flying in proximity to populated areas will require a range 
safety destruct system to ensure termination of thrust and prevent debris impacts that could be a 
threat to public safety. The degree to which the flight termination system, installed to protect the 
public, can produce hazardous environments to the crew has historically depended on the type of 
propulsion system employed. Solid motors have been required to be fitted with explosive 
destruct systems for termination of thrust regardless of the nature of the failure (assuming the 
failure has not already done so). The destruct system designs within the U.S. historical failure 
record have been observed to generate debris that would have posed potential risk to crew safety 
had a crew been on board. The degree to which this potential risk would be realized for a specific 
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architecture is strongly dependent on details of the architecture, ascent trajectory, and abort 
system. 


2.3 U.S. Failure Initial Manifestation Types and Classes 


Descriptions of the initial failure manifestations are specified as a set of “initial manifestation 
types” that have occurred in the U.S. launch vehicle historical record. Table 4 lists these types 
with a brief description of their meaning as well as a “manifestation class.” The “manifestation 
class” is a broader classification intended to give a high-level indication of the risk of the failure 
in terms of its ability to propagate into a full conflagration, greatly increasing the safety risk to a 
crewed vehicle. Each launch failure was assigned a Manifestation Class and Initial Manifestation 
Type based on available information pertaining to that failure. The intent is to assign a type and 
class based on the state of the vehicle at the time of the initial failure manifestation and the 
potential for propagation of the failure beyond the initiating subsystem. This is clearly a 
challenging exercise, one requiring a fair amount of judgment and expected uncertainty. 


Table 4. Initial manifestation types and classes observed in U.S. launch vehicle failure history. 


Manifestation Class 


Initial Manifestation Type 


Brief Description 


Contained 


Low Performance 


Payload delivered to wrong orbit. Nominal entry. 


Benign failure/false positive 


Engine shutdown prior to safe orbit. Immediate abort required. 


Propellant leak - low 
performance 


Leakage of liquid propellant leading to premature engine 
shutdown through propellant depletion or insufficient tank 
pressure. 


Staging - payload fails to 
separate 


Failure of payload to properly separate from launch vehicle. 
Contained failure, but would be safety threat on crewed vehicle. 


Staging - low performance 


Problem during staging which manifests as loss of performance 
(retained mass, impeded nozzle extension, etc.) 


Vehicle Over-performance — 
Off-Nominal Ascent 


Payload delivered to wrong orbit due to excessive thrust. 


Loss of Control 


Loss of control 


Failure to maintain controlled attitudes and rates. 


Loss of control (asymmetric 
thrust) 


Special case for 2+ engine systems in which one shuts down 
prematurely. 


Propellant leak - loss of control 


Leakage of liquid propellant leading to a loss of control through 
side forces and/or movements. 


Staging - loss of control 


Problem during staging which manifests as loss of control (re- 
contact, impeded nozzle gimbaling, etc.) 


Tank Burst — Loss of Control 


Pressurized tank rupture leading to loss of control through side 
forces. 


Uncontained Case breach Slow developing opening in a solid motor case, e.g., due to burn- 
through of case or seal. 
Case burst Rapid release of solid motor internal pressure through structural 
failure. 
LRE Uncontained Liquid engine failure to contain energy during shutdown, e.g. 
MCC burst, turbine burst, or gas leak. 
Launch explosion Failure on the pad leading to release of propellant with ground 
confined explosion. 
Nominal ascent — Damage to Payload is delivered to correct orbital conditions but has been 
payload damaged by the vehicle in the process. 
Tank Burst — Loss of Vehicle Pressurized tank rupture leading to rapid, uncontained 
structural failure and explosion. 
Unknown Unknown Investigation on this flight was either inconclusive or 


unavailable. 
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Generally, an uncontained failure is associated with the release of matter or energy outside the 
bounds of its intended container. However, in a few cases this definition is considered too rigid 
and doesn’t capture the true level of danger associated with the type, e.g., propellant leak that 
leads to depletion and premature engine shutdown is classified as uncontained but may not be an 
explosion risk. Another example to note is the “Nominal ascent — damage to payload” type, 
which has been categorized as an ““uncontained” manifestation class because of the potentially 
serious crew safety consequences of incurring damage to the crew module during ascent—the 
Columbia accident is the obvious example. The classification of the “case breach” manifestation 
type is particularly difficult because of the strong sensitivity to the specific architecture, i.e., the 
consequences can vary from no impact (no LOM) to catastrophic impact (e.g., the Challenger 
accident). The classification assignments in this study are based on the worst-case outcome. To 
view the initial manifestation types for each flight, see Table B-2 in Appendix B. 


All Failures 


The failed flights were classified based upon written descriptions of the events during the flight, 
analysis of the failures, and the root cause/corrective action recommendations. Figure 10 shows 
the percentage of failed flights assigned to each manifestation class and type. The Manifestation 
Classes are plotted in the inner pie chart while the Manifestation Types corresponding to each 
class are plotted in the outer ring within each class slice. For example, the “Contained” 
Manifestation Class represents 31% of the failed launches and is comprised of the types listed in 
the outer ring between “Benign Failure/False Positive” and “Vehicle over-performance — Off- 
nominal ascent.” 
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Figure 10. Breakdown of all historical failures by manifestation type and class. 
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The “Loss of Control” Manifestation Class makes up 42% of the failures. Cases where this 
occurs at high dynamic pressure will ultimately lead to structural breakup and some type of 
explosion involving any liquid propellants on board. However, the explosions resulting from this 
manifestation class are generally considered more survivable than confined-by-missile 
explosions for two reasons: 


1. Unconfined (free-air) mixtures, even assuming an ignition source is available, are 
considered not detonable, so any resulting explosion would be in the form of a vapor 
cloud deflagration. Although such explosions can generate blast waves with considerable 
peak overpressures, these peak pressure values are significantly lower in the near-field 
than detonation-generated peak overpressures and are less able to overcome vehicle 
velocity effects. Lower overpressures produce weaker blast waves, which travel at slower 
speeds. 


2. An abort system can be used to increase the separation distance between the crew module 
and launch vehicle prior to vehicle breakup and explosion. Activation of the abort system 
would depend upon the vehicle data available and the abort trigger rules applied. The 
warning time, which depends on the launch vehicle design (mass properties, failure 
limits, on-board propellant mass and type, escape system performance, etc.), is typically 
sufficient to provide a fairly high level of abort effectiveness against these failures. 


The “Uncontained” Manifestation Class makes up 23% of the failures. This manifestation class 
is intended to capture failures that arise in such a way as to make abort difficult, usually through 
rapid release of energy with the potential to propagate into a severe environment. Typically, this 
class is dominated by failures manifesting in the propulsion system (i.e., engine, motor, or 
propellant feed system). This class also includes failures that lead directly to payload damage 
without necessarily developing any dramatic failure environment, and often not even preventing 
the launch vehicle from reaching its intended orbit. 


By Failed Stage Type 


The failed launches were separated according to the failed stage type of each flight in Figure 11, 
where the same plot style and shading scheme as in Figure 10 is used. Except for one failure 
caused by low first stage engine performance leading to staging at off-nominal dynamic pressure, 
staging failures were not considered the fault of the propulsion system. The plots were then 
assessed to determine the effects of stage type on the initial failure manifestation and potential 
for failure propagation. 


A larger fraction of the solid stage failures was observed to have been manifested as uncontained 
failures compared to those of liquid stages (33% versus 25%). The percentage of uncontained 
liquid stage failures includes missions characterized as failures due to payload damage. This 
classification is justified in the case of Space Shuttle Columbia because the liquid stage 
insulation initiated the accident; however, the root cause of the other payload damage case 
(August 6, 1981 Atlas flight) is unknown. 


Nearly 30% of liquid stage failures manifested as premature shutdowns which, depending on the 
mission elapsed time of the failure, are categorized as a “benign failure” with immediate reentry, 


22 


or as “low performance” with off-nominal orbit. By comparison, the fraction of solid stage 
failures that are considered contained failures is only 8%. 


For solid stages, 42% of the failures manifested as “loss of control” failures, comparing similarly 
with 46% of liquid stage failures. Three of the solid stage loss of control failures involved 
exhausting the hydraulic fluid required to drive the stage’s thrust vector control (TVC) system, 
whereas liquid stages tend to use on-board propellant to drive the TVC hydraulics and are 
therefore less prone to loss of hydraulic fluid. 


Finally, 12 staging failures are shown in Figure 11c. These failures were manifested as loss of 
control in 33% of the observed cases, either through gimbal limitation, re-contact, or asymmetric 
separation. Another 42% of the cases led to low performance, either because nozzle extensions 
were impeded or because mass that was intended to be shed separated late or not at all. Two 
cases (17%) were failures of the satellites to separate at the correct conditions. 
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Figure 11. Manifestation types broken down by type of stage in which failure was manifested. 
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By Propulsion System Failures 


The flight failure data discussed above was filtered to consider only failures that originated in the 
propulsion system (engine, motor, and MPS) and is shown in Figure 12. A total of 24 failures 
were identified as directly propulsion-related: 20 liquid engine failures and 4 solid motor 
failures. All solid motor-related failures were classified as “uncontained” manifestations. The 
liquid engine failures break down in a manner in which, relative to the overall liquid stage failure 
distribution, a contained failure is more likely than an uncontained failure. Loss of control 
failures represent roughly one third of liquid engine failure outcomes, a somewhat lower fraction 
than observed that for all liquid stage failures. 
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Figure 12. Propulsion related failures by manifestation and propulsion type. 


2.4 Ultimate Mode of Demise 


The failure history was assessed in terms of the ultimate mode of launch vehicle demise for more 
insight into the potential for sufficient warning time to initiate an abort. The mode of demise 
represents the end of the propagation process that begins with the manifestation types discussed 
in the previous section. Tracking the ultimate demise allows an assessment of the degree to 
which the observed initial manifestation propagated to catastrophic demise of the vehicle. The 
cases are categorized according to the mode by which the vehicle was ultimately destroyed: 


e Environment — The release of energy, either as a direct result of the initial failure 
manifestation or from a propagation of failures through the vehicle, results in the 
immediate breakup of the vehicle. For example, engine fire causes burn-through or over- 
pressurization of aft propellant tank. 

e Loss of function — The immediate manifestation does not directly lead to vehicle breakup, 
but the loss of critical functionality causes the vehicle to be subjected to extreme loads or 
to be a threat to public safety. For example, engine failure causes loss of thrust leading to 
ground impact (near pad), loss of control (high dynamic pressure), and/or range 
violations and FTS activation. 
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e None — Launches whose payloads achieved orbit, including unintended orbits, or whose 


payloads failed to achieve orbit but for which the vehicle failure occurred outside the 
detectible atmosphere and did not suffer its demise prior to reentry. 


This classification differentiates failures that cause vehicle demise by internal failure propagation 


from those that lead to demise by external forces/environments because the vehicle has lost the 
capability of resisting or avoiding those forces/environments. This classification approach is 
valuable because failures in which the demise was experienced through loss of function are 
perhaps more likely to be detected in advance of vehicle breakup relative to those in which the 
initial environment propagates directly to breakup. 


Twenty-eight flights placed payloads into some type of orbit or where the launch vehicle did not 


suffer demise before reaching orbit altitude and were categorized with the demise type “None.” 
Table 5 excludes these flights and provides a summary for the remaining 24 flights with their 


demise types. 


Table 5. Failures not reaching orbit, grouped by method of destruction with manifestation and 


demise classifications. 


Launch 


Antares_10/28/2014 
Athena_8/15/1995 
Atlas_12/18/1981 
Atlas_12/9/1980 
Atlas_3/26/1987 
Atlas_4/18/1991 
Atlas_8/23/1992 
Conestoga_10/23/1995 
Delta_1/17/1997 
Delta_5/3/1986 
Delta_8/27/1998 
Falcon_3/24/2006 
Falcon_6/28/2015 
Pegasus_6/22/1995 
Pegasus_6/27/1994 
Shuttle_1/28/1986 
Strypi_11/3/2015 
Titan_4/18/1986 
Titan_8/12/1998 
Titan_8/2/1993 
Titan_8/28/1985 
Zenit_1/30/2007 
Zenit_2/1/2013 
Zenit_3/12/2000 


Failed 
Stage 


bh 


NPP PON OP OR NN PIORP OR NNR BP RP BR 


Failed Stage 


Type 
Liquid 
Solid 
Liquid 
Liquid 
Liquid 
Liquid 
Liquid 
Solid 
Solid 
Liquid 
Solid 
Liquid 
Liquid 
Staging 
Solid 
Solid 
Solid 
Solid 
Liquid 
Solid 
Liquid 
Liquid 
Liquid 
Liquid 


Manifestation 
Class 


Uncontained 
Loss of Control 
Loss of Control 
Loss of Control 
Loss of Control 
Loss of Control 
Loss of Control 
Loss of Control 
Uncontained 
Loss of Control 
Loss of Control 
Uncontained 
Uncontained 
Loss of Control 
Loss of Control 
Uncontained 
Unknown 
Uncontained 
Loss of Control 
Uncontained 
Loss of Control 
Uncontained 
Loss of Control 
Loss of Control 


Launch Vehicle 


Demise 


Environment 

Loss of Function 
Loss of Function 
Loss of Function 
Loss of Function 
Loss of Function 
Loss of Function 
Loss of Function 
Environment 

Loss of Function 
Loss of Function 
Loss of Function 
Environment 

Loss of Function 
Loss of Function 
Environment 

Environment 

Environment 

Loss of Function 
Environment 

Loss of Function 
Loss of Function 
Loss of Function 
Loss of Function 
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Seventeen flights (over 70%) were categorized as a “Loss of Function” vehicle demise. These 
cases could be further divided into those for which demise was produced by aerodynamic 
breakup versus those for which the FTS system was activated. The former would typically 
evolve more rapidly to vehicle failure than the latter and these are important cases in the design 
of abort and detection systems. 


The vehicles in seven of the failure cases (nearly 30%) were destroyed by neither range safety 
nor environments produced by loss of functionality. Instead, these vehicles are classified as 
having been destroyed directly by the failure environment (demise category “Environment’). In 
some of these cases, especially those with strap-on boosters, detection might have been possible 
using break wires to indicate component separation. Predicting the effectiveness of such systems 
is difficult; however, video evidence of some of these failures indicate that sufficient warning 
might have been available. 


The launch vehicle demise data are grouped according to stage type, manifestation class, and 
launch vehicle demise and are graphed in Figure 13. The figure leads one to the obvious 
conclusion that only uncontained failures can propagate directly to vehicle-level explosion. The 
manifestation type and class of the 11/3/2015 Strypi failure could not be determined based on the 
currently available information. However, given the demise class appears to be spontaneous 
explosion, it is reasonable to infer that the manifestation class is “Uncontained”. Relatively high 
fractions of uncontained failures propagated to vehicle demise for both solid and liquid stage 
failures. All uncontained failures of solid stages propagated to demise by failure environment. 
Uncontained failures of liquid stages propagated to demise by environment in 50% of the cases. 
Caution is recommended in accepting these statistics beyond the current observations, given the 


small sample size. 
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Figure 13. Failures not reaching orbit by launch vehicle demise and manifestation class. 
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Given a reliable abort system and vehicle health monitoring system, one would expect a high 
likelihood of survival from launch failures not classified as uncontained. Survival rates for those 
uncontained failures that propagate directly to vehicle explosion would depend on factors that 
are difficult to quantify from the available data in a general way. These factors include the ability 
to detect conditions early in the failure propagation process and the severity of the explosive 
environments created at vehicle demise. 


Section 3: Safety and Reliability Summary 


This historical review was conducted to identify trends in launch vehicle failures as they pertain 
to safety and reliability of liquid and solid propellant propulsion technologies. While launch 
vehicles over the history of space flight have come in a variety of distinct architectures, a 
combined analysis across all architectures assessed at the vehicle stage level more readily 
identifies vulnerabilities, root causes, and interactions that impact mission success and crew 
safety. The key findings of this study are: 


e Mission success statistics are strongly dependent on the accounting approach used. 
Conclusions vary significantly depending on how the data is parsed. 

e When considering failures by launch vehicle configuration, vehicles configured with both 
liquid and solid stages have the highest median demonstrated reliability, followed by 
liquid-only and then solid-only vehicles. 

e When considering failures by the type of stage (liquid or solid) which failed, liquid 
systems experienced more mission-limiting failures than solid stages, while solid stage 
failures showed a higher likelihood of being uncontained than liquid stage failures (33% 
vs. 25%, respectively). 

e Most liquid engine failures were associated with interactions between systems, and were 
dominated by process control issues. The majority of solid motor failure initiators did not 
migrate to other systems. 

e Classification of historical failure manifestations indicated that a large majority of U.S. 
launch vehicle failures led to contained shutdown or loss of control, with only 23% 
leading to uncontained failure. 

e Assessment of the ultimate mode of vehicle demise showed that, of the 52 launch failures 
included, only about 13% appear to have experienced demise by failure environment 
directly, without first experiencing a loss of functionality. All others either did not end in 
demise or broke up through the action of environments produced by the loss of 
functionality. This indicates a fairly high level of potential survivability if one assumes 
these environments (e.g., attitudes and rates from loss of control) are more predictable 
and reliably detectable than those produced by internal failure propagation. 


e Failures producing local environments that evolve directly to vehicle demise/explosion 
are of special concern for crew safety because of the potential for explosion to occur prior 
to activation of an abort system. Assessment of uncontained failures indicates a large 
majority of uncontained failures propagated to vehicle demise by way of the failure 
environments. All uncontained failures (and one of unknown class) of solid stages have 
propagated directly to vehicle demise and half of uncontained failures of liquid stages led 
directly to breakup. 
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Appendix A: Relevant Exceptions 


Table A-1 lists the flights with post-separation or minor errors that are not included in the failure 
database because they do not fit the definitions of launch vehicle error used in this report. Most 
of the flights in this list are classified as spacecraft failures or partial failures in other sources. 


Four of the flights in this table (boldfaced and labeled with an *) may appear to conflict with 
other sources so a short rationale for how they were eventually processed in our database is 
provided below. Details for three other flights categorized as successes in our database are 
provided below because anomalous events have been documented or they may appear to conflict 
with some sources. A brief description of these seven flights is included below since they present 
scenarios that may be relevant to specific risk studies. 


Table A-1. Flights between 1980-2015 with post-separation or minor errors not covered in the 
failure data. 


Date Vehicle Family Launch Status 
4/10/1982 Thor/Delta Post-separation error 
4/4/1983 Space Shuttle Post-separation error 
2/3/1984 Space Shuttle Post-separation error 
6/17/1985 Space Shuttle Post-separation error 
8/27/1985 Space Shuttle Post-separation error 


9/6/1989 Titan 
6/23/1990 Titan 
12/1/1990 Atlas 
12/2/1992 Space Shuttle 
4/25/1993 Pegasus 
10/5/1993 Titan 
4/13/1994 Atlas 

11/21/1996 Atlas 


Post-separation error 
Post-separation error 
Post-separation error 
Post-separation error 
Post-separation error 
Post-separation error 
Post-separation error 
Post-separation error 
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10/22/1997 Pegasus Post-separation error 
3/5/1999 Pegasus Post-separation error 
4/9/1999 Titan* Post-separation error 
7/23/1999 Space Shuttle* Minor error 
8/23/2000 Thor/Delta* Minor error 
3/8/2002 Atlas Post-separation error 

11/23/2002 Space Shuttle* Minor error 
1/11/2004 Zenit-3 Post-separation error 

4/16/2004 Atlas Post-separation error 

12/14/2006 Thor/Delta Post-separation error 


. Titan 34B 4/24/1981 (success) — This flight is listed as a partial failure in multiple 


sources [15] [16] [17], but very little additional information about the sequence of events 
was found. Jumpseat 6, did not separate and only achieved an apogee of 708 km (instead 
of the 39377 km planned). It is not clear if this error was caused by the launch vehicle or 
the payload, thus, our survey follows reference [4] and treats this flight as a success. 


. Titan 34D 4/9/1999 (post-separation error) — The two-stage Inertial Upper Stage (IUS) 


failed to operate properly and left the payload tumbling after it attempted a second stage 
burn. The IUS not considered a part of the launch vehicle itself in reference [4] and this 
definition was adopted for this survey. Therefore, this incident is treated as a post- 
separation error in our survey. 


. STS-93, Columbia 7/23/1999 (minor error) — This mission was considered a success by 


many sources as it fell within the +/- 18km limit of its intended orbit and fulfilled all 
mission objectives. However, Columbia experienced an early SSME shutdown due to a 
small hydrogen leak. A gold pin used to plug an oxidizer post caused the leak after it was 
violently ejected and struck the inner nozzle surface, tearing open 3 hydrogen cooling 
tubes. At T+5s an electrical short disabled the center SSME’s primary digital control unit 
(DCU) and the right SSME’s DCU. The engines continued running on their remaining 
DCU for the rest of the flight. Without the redundant set of DCUs, Columbia would have 
experienced two SSME shutdowns that would have resulted in a very risky abort. Poorly 
routed wiring that rubbed through on an exposed screw head caused the electrical short 
[18] [19]. This flight is labeled as having a “minor” error in our survey. 


. Delta-8930 8/23/2000 (minor error) — The launch vehicle missed its intended target by 


over a thousand nautical miles, but the mission was still considered a complete success 
by Boeing. The company launched a demonstration satellite in an attempt to prove the 
reliability of their Delta III rocket after two earlier failures. The desired apogee was 
12,637 miles, but the vehicle inserted the dummy payload with an apogee of 11,174 
miles. This fell within their determined margin of error but was still rumored as a failure 
throughout the aerospace industry [20]. This flight is labeled as having a “minor” error in 
our survey. 


. STS-113, Endeavour 11/23/2002 (minor error) — After many launch scrubs, STS-113 


finally took off and successfully achieved all mission objectives. However, during an 
OMS (Orbital Maneuvering System) assist burn during the early part of ascent to orbit, a 
valve in the right OMS engine failed to open completely. It was decided to only use the 
left OMS engine for later burns [7]. This flight is labeled as having a “minor” error in our 
survey. 


. Falcon 9 12/9/2010 (success) — This mission’s primary goals were to demonstrate the 


orbital maneuvering and reentry of the Dragon capsule and it became the first 
commercially built and operated spacecraft to be successfully recovered from orbit. In 
2011, Space Exploration Technologies (SpaceX) Corp. acknowledged that its Falcon 9 
rocket experienced an engine anomaly during its December launch of the company’s 
reusable Dragon space capsule [21]. Despite the anomaly, the mission was considered a 
complete success [22]. Two of the nine liquid-fueled Merlin engines that power the 
rocket’s first stage ran low on kerosene during the cutoff sequence, resulting in a 
potentially problematic situation that a senior SpaceX official described as “an oxidizer- 
rich shutdown.” Such a shutdown could change mixture ratios, which could cause 
temperatures to increase inside the gas generator and damage the turbines in the 
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turbopumps. As a result, more fuel was loaded on the following flight to avoid a repeat of 
the oxidizer-rich engine shutdown [23]. Despite the documented anomaly, this flight 
follows most other sources and is considered a success in our survey. 


. Delta IV 10/4/2012 (success) — This mission was considered a success to both the United 


Launch Alliance (ULA) and their client, the U.S. Air Force, despite a fuel leak in the 
RLIOB-2 upper stage engine that prompted an anomaly investigation and a hold on Atlas 
V and Delta IV flights configured with RL10 engines. The leak started during the first 
engine start sequence of the launch [24]. The mission included three planned upper-stage 
burns that would eventually move the payload to a circular orbit in line with the GPS 
network. However, the engine produced less thrust than expected and as a result, the 
launch vehicle extended each of the burns 20-36 seconds longer than nominal predictions 
to compensate. The success of the mission was attributed to the satellite’s light weight, 
which allowed the Delta IV to burn longer than planned with plenty of fuel left over [25]. 
Detailed information on the cause of the anomaly is not immediately available, thus this 
flight is considered a success in our survey. 


Appendix B: Additional Data for Flights with Launch Vehicle Errors 


Table B-1. Stage and Vehicle Information. 


Vehicle Stage 0 Stage1 | Stage2 | Stage 3 Stage 4 | Failed Failed 
Date Vehicle Model Type Type Type Type Type Type Stage # Stage Type 
5/29/80 | Atlas-E/F-Star-37-ISS Combined None Liquid Solid None None il Liquid 
7/14/80 | Thor-LV2F Burner-2A Combined None Liquid Solid Solid None 3 Staging 
12/9/80 | Atlas-E/F MSD Combined None Liquid Solid None None 1 Liquid 
8/3/81 | Delta-3913 Combined Solid Liquid Liquid Solid None 1 Liquid 
8/6/81 | Atlas-SLV3D Centaur-D1AR Liquid Only | None Liquid Liquid None None 5 Staging 
12/18/81 | Atlas-E/F SGS-1 (Atlas-E/F SVS-1) Combined None Liquid Solid Solid None 1 Liquid 
6/9/84 | Atlas-G Centaur-D1AR Liquid Only | None Liquid Liquid None None 2 Liquid 
7/29/85 | Shuttle (STS) Combined Solid Liquid None None None 1 Liquid 
8/28/85 | Titan-34D Combined Solid Liquid Liquid None None 1 Liquid 
1/28/86 | Shuttle (STS) Combined Solid Liquid None None None 0 Solid 
4/18/86 | Titan-34D Combined Solid Liquid Liquid None None 0 Solid 
5/3/86 | Delta-3914 Combined Solid Liquid Liquid Solid None 1 Liquid 
3/26/87 | Atlas-G Centaur-D1AR Liquid Only | None Liquid Liquid None None 1 Liquid 
9/2/88 | Titan-34D Transtage Combined Solid Liquid Liquid Liquid None 3 Liquid 
3/14/90 | Commercial Titan-3 Combined Solid Liquid Liquid None None 5 Staging 
4/18/91 | Atlas-1 Liquid Only | None Liquid Liquid None None 2 Liquid 
7/17/91 | Pegasus-H Combined Aircraft Solid Solid Solid Liquid 2 Staging 
8/23/92 | Atlas-1 Liquid Only | None Liquid Liquid None None 2 Liquid 
3/25/93 | Atlas-1 Liquid Only | None Liquid Liquid None None 1 Liquid 
8/2/93 | Titan-403A, 404A, 405A Combined Solid Liquid Liquid None None 0 Solid 
5/19/94 | Pegasus HAPS Combined Aircraft Solid Solid Solid Liquid 4 Liquid 
6/27/94 | Pegasus-XL Solid Only Aircraft Solid Solid Solid None 1 Solid 
6/22/95 | Pegasus-XL Solid Only Aircraft Solid Solid Solid None 2. Staging 
8/5/95 | Delta-7925 (Delta-2925) Combined Solid Liquid Liquid Solid None 0 Staging 
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Vehicle Stage 0 Stage1 | Stage2 | Stage 3 Stage 4 | Failed Failed 
Date Vehicle Model Type Type Type Type Type Type Stage # Stage Type 
8/15/95 | Athena-1 Combined None Solid Solid Liquid None 1 Solid 
10/23/95 | CONESTOGA 1620 Solid Only None Solid Solid Solid Solid 1 Solid 
11/4/96 | Pegasus-XL Solid Only Aircraft Solid Solid Solid None 5 Staging 
1/17/97 | Delta-7925 (Delta-2925) Combined Solid Liquid Liquid Solid None 0 Solid 
8/1/97 | PEGASUS XL\L.1011 Solid Only Aircraft Solid Solid Solid None 3 Solid 
2/10/98 | Taurus-2210 Solid Only None Solid Solid Solid Solid Unknown | Solid 
8/12/98 | Titan-401A Centaur-T Combined Solid Liquid Liquid Liquid None 2 Liquid 
8/27/98 | Delta-8930 (Delta-3940) Combined Solid Liquid Liquid None None 0 Solid 
4/27/99 | Athena-2 Combined None Solid Solid Solid Liquid 3 Staging 
4/30/99 | Titan-401B Centaur-T Combined Solid Liquid Liquid Liquid None 3 Liquid 
5/5/99 | Delta-8930 (Delta-3940) Combined Solid Liquid Liquid None None 2 Liquid 
3/12/00 | Zenit-3SL Liquid Only _| None Liquid Liquid Liquid None 2 Liquid 
9/21/01 | Taurus-2110 (Commercial-Taurus) Solid Only None Solid Solid Solid Solid 2 Solid 
1/16/03 | Shuttle (STS) Combined Solid Liquid None None None 1 Liquid 
6/29/04 | Zenit-3SL Liquid Only | None Liquid Liquid Liquid None 3 Liquid 
12/21/04 | Delta-4H (Delta-4050H) Liquid Only | Liquid Liquid Liquid None None 1 Liquid 
3/24/06 | Falcon-1 Liquid Only | None Liquid Liquid None None 1 Liquid 
1/30/07 | Zenit-3SL Liquid Only | None Liquid Liquid Liquid None 1 Liquid 
3/21/07 | Falcon-1 Liquid Only | None Liquid Liquid None None 1 Staging 
6/15/07 | ATLAS V 401 Liquid Only | None Liquid Liquid None None 2 Liquid 
8/3/08 | Falcon-1 Liquid Only | None Liquid Liquid None None 2 Staging 
2/24/09 | TAURUS (CASTOR 120) XL 3110 Solid Only None Solid Solid Solid Solid 3 Staging 
3/4/11 | TAURUS (CASTOR 120) XL 3110 Solid Only None Solid Solid Solid Solid 3 Staging 
10/8/12 | FALCON9 V1 Liquid Only | None Liquid Liquid None None 1 Liquid 
2/1/13 | ZENIT 3 SL (SEA LAUNCH)BLOK DM-SL Liquid Only | None Liquid Liquid Liquid None 1 Liquid 
10/28/14 | ANTARES-130 Combined None Liquid Solid None None 1 Liquid 
6/28/15 | FALCON 9 V1 Liquid Only | None Liquid Liquid None None 2 Liquid 
11/3/15 | SPARK Solid Only None Solid Solid Solid None 1 Solid 
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Table B-2. Failure Details. 


Payload Orbit Failure Initiating Manifesting Manifestation Launch Vehicle 
Date Vehicle Model Achieved Class Subsystem Subsystem Class Initial Manifestation Type Demise 
Atlas-E/F-Star-37- None 
5/29/80 | ISS Unintended orbit design engine/motor | staging Loss of Control | Tank burst - Loss of control 
Thor-LV2F Burner- None 
7/14/80 | 2A Failed to orbit process avionics staging Loss of Control | Staging - Loss of control 
Loss of Control (asymmetric Loss of Function 
12/9/80 | Atlas-E/F MSD Failed to orbit design engine/motor | engine/motor | Loss of Control | thrust) 
Propellant leak/loss - Low None 
8/3/81 | Delta-3913 Unintended orbit unknown MPS engine/motor | Contained performance 
Atlas-SLV3D Nominal ascent - Damage to None 
8/6/81 | Centaur-D1AR Final orbit reached | unknown structure structure Uncontained payload 
12/18/8 | Atlas-E/F SGS-1 Loss of Control (asymmetric Loss of Function 
1 | (Atlas-E/F SVS-1) Failed to orbit process engine/motor | engine/motor | Loss of Control | thrust) 
Atlas-G Centaur- None 
6/9/84 | D1AR Unintended orbit process MPS MPS Loss of Control | Tank burst - Loss of control 
7/29/85 | Shuttle (STS) Unintended orbit design avionics engine/motor | Contained Benign Failure/False Positive None 
Loss of Control (asymmetric Loss of Function 
8/28/85 | Titan-34D Failed to orbit process MPS engine/motor | Loss of Control | thrust) 
1/28/86 | Shuttle (STS) Failed to orbit weather engine/motor | engine/motor | Uncontained Case breach Environment 
4/18/86 | Titan-34D Failed to orbit process engine/motor | engine/motor | Uncontained Case burst Environment 
Loss of Control (asymmetric Loss of Function 
5/3/86 | Delta-3914 Failed to orbit design avionics engine/motor | Loss of Control | thrust) 
Atlas-G Centaur- Loss of Function 
3/26/87 | D1AR Failed to orbit weather avionics GNC Loss of Control | Loss of Control 
Titan-34D Propellant leak/loss - Low None 
9/2/88 | Transtage Unintended orbit process MPS engine/motor | Contained performance 
Staging - Stages/payload fail None 
3/14/90 | Commercial Titan-3 | Final orbit reached | process avionics staging Contained to separate 
Loss of Control (asymmetric Loss of Function 
4/18/91 | Atlas-1 Failed to orbit process MPS engine/motor | Loss of Control | thrust) 
7/17/91 | Pegasus-H Unintended orbit unknown staging staging Contained Staging - Low performance None 
Loss of Control (asymmetric Loss of Function 
8/23/92 | Atlas-1 Failed to orbit process MPS engine/motor | Loss of Control | thrust) 
3/25/93 | Atlas-1 Unintended orbit process MPS engine/motor | Contained Low Performance None 
Titan-403A, 404A, Environment 
8/2/93 | 405A Failed to orbit process engine/motor | engine/motor | Uncontained Case burst 
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Payload Orbit Failure Initiating Manifesting Manifestation Launch Vehicle 
Date Vehicle Model Achieved Class Subsystem Subsystem Class Initial Manifestation Type Demise 
5/19/94 | Pegasus HAPS Unintended orbit design GNC engine/motor | Contained Benign Failure/False Positive None 
6/27/94 | Pegasus-XL Failed to orbit design avionics GNC Loss of Control | Loss of Control Loss of Function 
6/22/95 | Pegasus-XL Failed to orbit process staging GNC Loss of Control | Staging - Loss of control Loss of Function 
Delta-7925 (Delta- None 
8/5/95 | 2925) Final orbit reached | weather staging staging Contained Staging - Low performance 
8/15/95 | Athena-1 Failed to orbit design GNC GNC Loss of Control | Loss of Control Loss of Function 
10/23/9 Loss of Function 
5 | CONESTOGA 1620 Failed to orbit design avionics GNC Loss of Control | Loss of Control 
Staging - Stages/payload fail None 
11/4/96 | Pegasus-XL Unintended orbit process avionics staging Contained to separate 
Delta-7925 (Delta- Environment 
1/17/97 | 2925) Failed to orbit process engine/motor | engine/motor | Uncontained Case burst 
8/1/97 | PEGASUS XL\L.1011 | Final orbit reached | unknown unknown unknown Unknown Unknown None 
Vehicle over-performance - None 
2/10/98 | Taurus-2210 Unintended orbit unknown unknown unknown Contained Off-nominal ascent 
Titan-401A Loss of Function 
8/12/98 | Centaur-T Failed to orbit process avionics GNC Loss of Control | Loss of Control 
Delta-8930 (Delta- Loss of Function 
8/27/98 | 3940) Failed to orbit design GNC GNC Loss of Control | Loss of Control 
4/27/99 | Athena-2 Failed to orbit design avionics staging Contained Staging - Low performance None 
Titan-401B None 
4/30/99 | Centaur-T Unintended orbit process avionics GNC Loss of Control | Loss of Control 
Delta-8930 (Delta- None 
5/5/99 | 3940) Unintended orbit process engine/motor | engine/motor | Uncontained LRE uncontained 
3/12/00 | Zenit-3SL Failed to orbit process avionics GNC Loss of Control | Loss of Control Loss of Function 
Taurus-2110 None 
(Commercial- 
9/21/01 | Taurus) Failed to orbit unknown GNC GNC Loss of Control | Loss of Control 
Nominal ascent - Damage to None 
1/16/03 | Shuttle (STS) Final orbit reached | process TPS TPS Uncontained payload 
6/29/04 | Zenit-3SL Final orbit reached | process avionics engine/motor | Contained Low Performance None 
12/21/0 | Delta-4H (Delta- None 
4 | 4050h) Unintended orbit design MPS engine/motor | Contained Benign Failure/False Positive 
3/24/06 | Falcon-1 Failed to orbit design MPS engine/motor | Uncontained LRE uncontained Loss of Function 
1/30/07 | Zenit-3SL Failed to orbit process engine/motor | engine/motor | Uncontained LRE uncontained Loss of Function 
3/21/07 | Falcon-1 Failed to orbit process engine/motor | staging Loss of Control | Staging - Loss of control None 
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Payload Orbit Failure Initiating Manifesting Manifestation Launch Vehicle 
Date Vehicle Model Achieved Class Subsystem Subsystem Class Initial Manifestation Type Demise 
Propellant leak/loss - Low None 
6/15/07 | ATLAS V 401 Final orbit reached | design MPS engine/motor | Contained performance 
8/3/08 | Falcon-1 Failed to orbit design engine/motor | staging Loss of Control | Staging - Loss of control None 
TAURUS (CASTOR None 
2/24/09 | 120) XL 3110 Failed to orbit design staging staging Contained Staging - Low performance 
TAURUS (CASTOR None 
3/4/11 | 120) XL 3110 Failed to orbit design staging staging Contained Staging - Low performance 
10/8/12 | FALCON9 V1 Final orbit reached | process engine/motor | engine/motor | Uncontained LRE uncontained None 
ZENIT 3 SL (SEA Loss of Function 
LAUNCH)BLOK DM- 
2/1/13 | SL Failed to orbit process GNC GNC Loss of Control | Loss of Control 
10/28/1 Environment 
4 | ANTARES-130 Failed to orbit design engine/motor | engine/motor | Uncontained LRE uncontained 
6/28/15 | FALCON 9 V1 Failed to orbit process structure structure Uncontained Tank burst - Loss of vehicle Environment 
11/3/15 | SPARK Failed to orbit unknown unknown unknown Unknown Unknown Environment 
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Appendix C: Descriptions of Flights with Launch Vehicle Errors 


This appendix provides a brief discussion of each flight in the historical failure set organized 
alphabetically by launch vehicle family and then by launch date. Headings for each flight 
summarize the launch date, the propellant types used in the launch vehicle, the stage number and 
type in which the failure initiated (“0” indicates a strap-on booster), the initial failure 
manifestation type, and the manner in which the vehicle was destroyed. 


Antares 


Vehicle/Flight: Antares-130 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
10/28/2014 | Combined | 1 Liquid LRE Uncontained _ | Environment 


This was the fifth and last flight of the Antares 100 series, the first flight of the upgraded Antares 
130 (with upgraded second stage). The first stage used two Russian NK-33 engines built in the 
1970s that had been purchased and refurbished by Aerojet and renamed AJ-26. This vehicle had 
two AJ26-62s. 


The vehicle behaved erratically right after launch. At just over T+15s, an explosion occurred in 
engine | of the Main Engine System (MES-1) and propagated to MES-2. The vehicle lost thrust 
and began to fall back to the launch pad. The Range Safety Officer (RSO) issued the destruct 
command just before the vehicle struck the ground in order to minimize the potential damage 
from the expected ground impact and subsequent explosion. A large explosion ensued and the 
vehicle and payload were lost. The launch pad and some nearby buildings were damaged. 


Aerojet Rocketdyne, Orbital Sciences and NASA conducted separate investigations after the 
accident with differing conclusions [26]. Orbital’s investigation report identified the likely 
source of the failure as a machining defect in the turbine assembly of the turbopump during 
manufacturing while Aerojet’s suggested the failure source was foreign object debris. The 
NASA Independent Review Team (IRT) identified three possible technical root causes of the 
failure: inadequate design of the AJ-26 liquid oxygen (LO2) hydraulic balance assembly (HBA) 
and turbine-end bearing, foreign object debris introduced into the LO2 turbopump, and a 
machining defect in the liquid oxygen turbopump. The IRT eventually concluded that the most 
likely cause of the MES-1 explosion was due to loss of radial positioning in the LO2 turbopump 
1, which caused friction due to rubbing between rotating and stationary components in the 
turbopump Hydraulic Balance Assembly (HBA) seal package, leading to ignition and fire [27]. 


In December 2014, Orbital Sciences announced that the RD-181—a modified version of the RD- 
191—would replace the AJ26 on the Antares 200-series. 
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Figure C-1. Explosion in the Antares MES. Credit: NASA 


Figure C-2. Antares explodes just before hitting the launch pad. Credit: NASA 
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Athena 


Vehicle/Flight: Athena-1 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
8/15/1995 | Combined 1 Solid Loss of control Loss of Function 


At T+79s into Athena’s debut flight, an anomalous pitch was detected by tracking cameras that 
resulted in uncontrolled oscillations. After the first stage shut down as planned at T+82s, the 
coning motion dislodged the shroud at T+121s. Six seconds later, the inertial measurement unit 
failed followed by second stage ignition. Although the second stage rapidly stabilized itself, the 
vehicle was already thrown off course, prompting the RSO to destroy it at T+160s [28]. 


Two independent failures were discovered, either of which would have led to a loss of the 
vehicle on their own: expended hydraulic fluid burned in the aft section of the first stage that 
damaged nozzle feedback cables and caused a loss of gimbal control and tumbling, and arcing in 
the Inertial Measurement Unit (IMU) high-voltage power supply that caused a loss of attitude 
reference. 


Vehicle/Flight: Athena-2 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
4/27/1999 | Combined | 3 Staging singing 1OW None 
performance 


Athena launched carrying the Ikonos 1 high-resolution commercial imaging satellite. During the 
third stage, the shroud snagged and the payload fairing failed to separate. The extra weight 
prevented the satellite from reaching orbit and the third stage fell into the atmosphere over the 
South Pacific. 


The cause was determined to be an electrical failure caused by a design flaw. The shroud was 
designed in two pieces with pyrotechnic charges at its base to circumferentially split the shroud 
and charges inside the shroud to split it longitudinally. After the charges at the base fired, the 
others failed to follow. The initial shock of charges at the base had disconnected the cables for 
the charges inside of the shroud [28]. 
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Atlas 


Vehicle/Flight: Atlas-19F 


Date Vehicle Failed Failed Initial Launch 
Type Stage # Stage Type | Manifestation Type | Vehicle Demise 
5/29/1980 | Combined | 1 Liquid ee Datei eS Nous 
of Control 


The vehicle was running low on velocity and heavy on propellant for most of its flight, running 
almost a minute past its nominal burn time. The failure was caused by a rare but known failure 
mode when a seal was jostled loose by the rapid-fire pyrotechnic cartridge ignition system used 
in the Atlas E/F missiles, flooding the B-1 turbopump with fuel and slowing down its rotation 
speed. As a result, thrust levels in the engine were cut to 80% and booster velocity and fuel 
consumption were considerably reduced. The Atlas's onboard computer tried to compensate first 
by extending the booster engine burn time, but eventually a backup command forced a booster 
shutdown and jettison before the correct velocity could be achieved. After booster engine cutoff, 
the computer still tried to compensate by extending sustainer burn time until it went 50 seconds 
past what would have been normal cutoff. Following SECO, the booster also had to execute 
vernier solo mode for another 11 seconds [28]. 


For simplicity and to reduce the launch readiness time by removing the need to test an interface 
between the booster and the spacecraft, the NOAA satellite had no electrical interface with the 
Atlas [29]. Lacking communication with the booster, the satellite used its own accelerometer to 
determine when to separate and its solid rocket kick motor was designed to activate at a preset 
separation time in the event the accelerometer malfunctioned. The Atlas was consequently still 
running when the preset time occurred, causing the kick motor to rupture the LOX tank dome, 
which registered on telemetry readouts as an immediate loss of tank pressure. The spacecraft was 
unable to properly separate and perform the required pitch-down maneuvers, and the satellite 
reached a useless orbit and had to be abandoned [30]. 


Vehicle/Flight: Atlas-68E 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
12/9/1980 | Combined | 1 Liquid POSS oe Conn ol Loss of Function 
(asymmetric thrust) 


A few hundred milliseconds before the planned commanded shutdown, one booster engine 
prematurely lost thrust. The asymmetric thrust cause the vehicle to rapidly spin 180 degrees 
before it stabilized in a retrofire attitude, lost velocity, and started descending back to Earth. The 
vehicle exploded high above the Earth’s surface. The cause was determined to be corrosion in a 
piece of ducting that resulted in the loss of lubricant to the turbopump. 
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The mishap investigation revealed that the cause of the engine failure was loss of engine gearbox 
lubrication, which occurred at around T+100s. The conclusion reached by the U.S. Air Force 
Mishap Board was that a section of the lubrication feed line failed. Portions of the feed line were 
made of a material that was susceptible to stress corrosion. This fact had been known for years, 
but with the plans underway to replace all U.S. expendable launch vehicles (ELVs) with the 
Space Shuttle, there was little interest in spending any unnecessary funding on the old boosters 
[31]. 


Vehicle/Flight: Atlas-Centaur (AC-59) 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
8/6/1981 | Liquid 5 Staging Damage to Payload | None 


Damage to the payload was sustained during ascent and the satellite did not become operational. 
The damage was ultimately attributed to explosive delamination of the fiberglass honeycomb 
fairing during flight. Specifically, the inside wall of the fairing damaged one of the solar arrays 
and bent the transmit antenna mast, preventing the antenna from fully deploying. The satellite 
was also placed in a lower orbit than anticipated and was eventually moved by ground 
controllers to a satisfactory orbit [32]. It is unclear when the fairing failed, so the failed stage 
number was assigned a 5 (payload deployment) rather than a particular vehicle stage number. 
The fairing used an unvented honeycomb sandwich structure, which was later shown to explode 
at high altitude in a proof test at 90,000 feet [33], making it possible that this failure occurred 
early during the flight, before booster engine cutoff (BECO). 


Vehicle/Flight: Atlas E/F SVS-1 (76E) 


Date Vehicle Failed | Failed Initial Launch Vehicle 
Type Stage # | Stage Type | Manifestation Type | Demise 
: 3 Loss of Control ; 
12/19/1981 | Combined | 1 Liquid : Loss of Function 
(asymmetric thrust) 


Atlas suffered an early engine shutdown 6 seconds after launch. By T+7.4s the MA-3 booster 
had lost all thrust and the vehicle began to lose control. It pitched over sharply and began to roll. 
At T+19.8s, the vehicle exploded before hitting the ground only 500 feet from the launch pad. 


After examining the debris, the cause of the failure was clear. During inspection of the B-2 
engine before installation on the booster, a metal O-ring seal was found to have slipped out of 
place. This issue had been seen many times before and the standard repair procedure was 
followed. The new seal was coated with Plastiseal, a sealant designed for that particular 
application, and the standard repair procedure indicated that “no excess globs of Plastiseal 
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material to be applied to the seal.” Those instructions were followed, but there was still just 
enough sealant to flow over and plug up three coolant holes around the gas generator injector 
[34]. When Atlas was ignited, it only took 4 seconds for temperatures in the gas generator to 
melt the stainless steel casing [35]. The engine overheated and burned through its gas generator, 
severing an oxidizer line and shutting down the engine. 


Vehicle/Flight: Atlas G 


Date Vehicle Failed | Failed Initial Launch Vehicle 
Type Stage # | Stage Type | Manifestation Type | Demise 
6/9/1984 | Liquid 0) Liquid Ea Dirge On en 
control 


After the payload reached low earth orbit, the upper Centaur stage of the Atlas G exploded 
during the coast phase, prior to the second Centaur burn, as a result of a large oxygen tank leak. 
The Centaur and Intelsat tumbled end-over-end and reentered the atmosphere 4 months later. 


A minor fatigue crack developed in the LOX tank during an anomalously violent staging and 
orbital injection when sulfur oxide collected in the interstage area and amplified the charge firing 
enough to crack the LOX tank. 


Propellant boost pumps were deleted on this version of Centaur to save weight, and the LOX 
tank pressure was increased 25% to compensate. The leak had gone undetected during pre-flight 
inspection procedures. Although the tank had been designed to accommodate higher pressure, 
the technicians at Convair failed to check Centaur for leaks before shipping it to Cape Canaveral 
[36]. 


Vehicle/Flight: Atlas-G Centaur-DIAR 


Date Vehicle | Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
3/26/1987 | Liquid 1 Liquid Loss of control Loss of Function 


Although Atlas was launched into rain, it was reported that this launch did not violate the rules 
set for launch in rainy conditions as there were no reported thunderstorms within 5 miles of the 
pad and no anvil clouds within 3 miles of the pad. However, At T+48s, unknown to the ground 
crew, the vehicle was struck by lightning, damaging the guidance computer. As a result, an 
erroneous pitch down command was sent that caused the vehicle to yaw and lose control. At 
T+5 1s, the vehicle strayed off course and the RSO destroyed it. A piece of the recovered 
aerodynamic shroud was found with a number of burn-through pinhole punctures, confirming 
that Atlas had been struck by lightning several times. The digital computer unit sent the 
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erroneous command to gimbal hard to the right and the vehicle began to break up at T+50.7s 
[37]. 


Vehicle/Flight: Atlas-1 (AC-70) 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
ie res sche Loss of control ; 
4/18/1991 | Liquid 2 Liquid (asymmetric thrust) Loss of Function 


This was the first of two Atlas-Centaur upper stage failures (AC-70 and AC-71) due to a stuck 
valve. When the Centaur stage ignited at T+361s, one of the two engines did not achieve full 
thrust due to the ice plug and the vehicle tumbled, prompting the RSO to destroy it at T+441s. 


The privately led investigation incorrectly concluded that "perhaps a nut or a bolt” was 
introduced during cleaning for propellant ducts, causing the turbopump failure. Changes to the 
cleaning process and software were instituted. In addition, the Centaur was modified to yield 
extra torque in order to overcome a 'slow start' in a turbopump, and software was rewritten to 
shut down and rerun the startup cycle in the event of an engine start failure [28]. 


The true cause of this failure was not discovered until 1992 when another AC-71 suffered the 
same error. The investigation following the second failure found that one of the valves used was 
prone to leaks, and that this had likely existed for a long time as a latent issue. However, the 
valve did not cause any issues until General Dynamic’s engineers found a way to increase engine 
performance with a more efficient pre-chilling process. Atmospheric nitrogen entered the 
Centaur C-1 engine after pre-chilling through a stuck check valve and, upon contact with the 
hydrogen, froze in the LH2 turbopump and gearbox. The new pre-chilling process allowed the 
ice plug to form [38]. 


Vehicle/Flight: Atlas-1 (AC-71) 


Dip Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
8/23/1992 | Liquid 2 Liquid Poss er cound! Loss of Function 
(asymmetric thrust) 


This launch vehicle failed due to the same error that occurred during the April 18, 1991, Atlas-1 
AC-70 launch. At Centaur ignition, the engine did not achieve full thrust, causing the stage to 
tumble. The vehicle was destroyed by RSO about 8 minutes after launch [39]. 


The increased torque added after the AC-70 failure should have produced a successful start, and 
the new software did order a second startup cycle, but neither provision worked. The 
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investigation board for this accident included government participation and correctly 
hypothesized that during the pre-launch chill-down procedure, moisture from the ambient air 
entered the Centaur C-1 engine through a stuck check valve and froze in LH2 turbopump and 
gearbox. A solenoid valve was added to prevent air from entering the turbopump and freezing on 
its blades [38]. 


Vehicle/Flight: Atlas-I (AC-74) 


Disc Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
3/25/1993 | Liquid 1 Liquid Low performance None 


At T+24s the Atlas’ two auxiliary engines began to lose thrust, eventually leveling off at 65% 
power. Although the Centaur upper stage computer tried to compensate for the thrust loss by 
extending the first burn by 24 seconds, the stage exhausted its propellant prior to completing the 
burn. The launch vehicle inserted the Hughes UHF 1 follow-on spacecraft into a lower orbit than 
anticipated. The satellite maintained functionality, but was considered a loss due to the 
unacceptable orbit. An improperly torqued set screw in the first stage sustainer engine precision 
regulator caused reduced power and an early shut down [38]. 


Figure C-3. An Atlas I rocket awaits lift-off. Credit: NASA 
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Vehicle/Flight: Atlas V 


Dae Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
6/15/2007 | Liquid | 2 Liquid Prope Leas | aang 
Low performance 


The Centaur upper stage shut down four seconds earlier than planned due to a fuel leak in the 
engine system cryogenic liquid hydrogen valve. The leak continued during the nearly one hour 
coast phase between the two Centaur main engine burns. Some real-time indications of an 
anomaly occurred during the mission. Several parameters suggested that the temperature was 
off-nominal, but the effects of the difference on the performance of the engine were unknown 
until the premature shutdown due to fuel depletion. Although the payload was placed in a lower 
orbit than planned, a proper orbit was eventually achieved using the spacecraft’s on-board 
propulsion system. 


The failed LH2 fuel valve in the RL10 was a new design used in only a half-dozen previous 
flights (the manufacturer was phasing the old valve out of their product line). Future Atlas 5 and 
Delta 4 rocket launches -- both rocket families use versions of RL10 engines to power their 
upper stages — planned to revert the previous fuel inlet valve design that officials fully trusted. 
Subsequent testing during the investigation showed that the heritage valve design had larger 
closing force margins. This mission also experienced a longer than average first burn, which 
increased valve exposure to cryogenic hydrogen and elevated valve friction. As a result, the 
valve did not close completely and leaked fuel during the coast phase [40]. 


Figure C-4. An Atlas V rocket lifts off from Launch Complex 41. Credit: NASA 
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Conestoga 


Vehicle/Flight: Conestoga-1620 


Die Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
10/23/1995 | Solid 1 Solid Loss of control Loss of Function 


At T+44.4s the launch vehicle began to turn and then pitched down. The RSO sent the self- 
destruct command, but the FTS failed to operate on two of the Castor 4 stage 1 motors. The third 
stage Castor 4B and fourth stage Star 48 were not destroyed by range safety and landed in the 
ocean. Noise in the guidance control system led to excessive steering of one stage-1 booster 
motor and depleted the motor’s hydraulic fluid [7]. The vehicle completely lost control and 
broke up at T+46s [41]. 


Delta 


Vehicle/Flight: Delta-3913 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
8/3/1981 | Combined | 1 Liquid Prope nat Leas ll None 
- Low performance 


Delta-3913 failed when a malfunction in the booster rocket caused the main engine to shut off 
early. This caused the DE-2 satellite (co-launched with DE-1) to be placed in a lower orbit than 
anticipated. This issue was not considered serious and the satellite lasted its intended lifespan. It 
reentered the atmosphere in 1983. DE-1 was placed in a higher orbit and retired in 1991. 


The underperformance of the main engine was caused by a propellant loading error that was the 
result of an instrumentation error [30]. 


Vehicle/Flight: Delta-3914 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
5/3/1986 | Combined | 1 Liquid Poss onconn or. ibeseconRuncHon 
Asymmetric thrust 


Delta-3914 failed when the first stage engine shut down prematurely at T+71s of a planned 223s 
firing. Without attitude control and the 3 air-started strap-on motors burning, sufficient yaw had 
developed by T+77s to over-stress the shroud and shear it off. The payload was destroyed. The 
vehicle had completed a full 360-degree rotation before the RSO commanded its destruction. 
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According to the launch vehicle telemetry, there had been two power surges at T+70s before the 
engine shut down. These two surges caused a reduction in voltage to the relays that held the 
propellant valves open, supplying fuel to the engines. Once voltage to keep those relay coils 
energized was lost, even momentarily (6 and 13ms), they could no longer be re-actuated, killing 
the power to the vehicle’s rocket engine relay box and shutting the engine down. Years earlier, 
the wiring insulation was changed from polyvinyl chloride (PVC) to Teflon. The shape of the 
harness caused it to chafe and expose the wires as the launch vehicle vibrated on ascent. The 
vehicle was carrying the GOES-G weather satellite, designed to replace GOES-5 and provide 
continuous vertical profiles of atmospheric temperature and moisture [28]. 


Vehicle/Flight: Delta-7925 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
8/5/1995 | Combined | 0 Staging miagine - low None 
performance 


At T+66s the three strap-on Graphite-Epoxy Motors (GEMs) ignited while the other six motors 
used to augment launch jettisoned normally. At T+130s, two of the air-started motors jettisoned 
normally, but one failed to jettison and remained attached to the vehicle. The explosive lines 
used to separate the motor were damaged due to exposure to excessively high temperatures 
caused by a failure of the insulation to protect the rocket’s booster separation circuits [42]. The 
added weight of the motor resulted in a significant loss of velocity after the first stage shut down. 
The second stage computer attempted to correct this error by extending the initial burn an extra 
35 seconds, but the tanks ran dry after just 10 seconds during the follow-on burn. The payload 
eventually achieved geostationary orbit at the expense of over half of its orbital life expectancy 


[4]. 


Figure C-5. Delta 7925 at Launch Pad 17-B. Credit: NASA 
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Vehicle/Flight: Delta-7925 (D241) 


Dike Vehicle Failed Failed Initial Launch Vehicle 
Type Stage# | Stage Type | Manifestation Type | Demise 
1/17/1997 | Combined | 0 Solid Case Burst Environment 


At T+13 seconds and a height of 1600 feet, the launch vehicle exploded and rained 250 tons of 


propellant and hardware on and around the launch pad. Photographs showed black smoke 
venting from the side of one of the six Graphite Epoxy Motors (GEMs) about T+6 seconds after 
ignition, indicating a case breach [28]. At T+7.2 seconds after ignition, GEM number 2 
developed a 71-inch-long split in its casing. The split grew to 254 inches before the motor failed 
at T+12.6 seconds [43]. Telemetry showed that the self-destruct system detected a vehicle 

distortion at T+13 seconds, immediately after the explosion of GEM number 2 [28]. Mission 
Control sent destruct commands at T+ 22.3 seconds to destroy the largely intact second and third 
stages, releasing the payload and fairing. As a result, the payload exploded on impact with the 
ground [43]. 


Vehicle/Flight: Delta-8930 


Dale Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # | Stage Type | Manifestation Type | Demise 
8/27/1998 | Combined | 0 Solid Loss of control Loss of Function 


At T+55s the rocket began a 4 Hz roll oscillation that the control software design had not 
accounted for [44]. As a result, the TVC system tried to correct the roll, but over-compensated 
and actually exacerbated the instability. Once the TVC system depleted the hydraulic fluid, the 
oscillation diminished, but the gimbals, without fluid for control, pitched the vehicle over. At 
T+72s attitude control was lost, and the vehicle began to break up. The initial roll oscillations 
were found to be caused by the air-lit SRMs gaining significant control influence as the other 
ground-lit SRMs depleted their propellant. The significance of this roll mode was overlooked 
and not incorporated into the design of the control system [28]. 


Vehicle/Flight: Delta-8930 (D3-2) 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage# | Stage Type | Manifestation Type | Demise 
5/5/1999 | Combined 2 Liquid LRE Uncontained _ | None 
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Two shock events occurred during the second stage RL-10B-2 failure. The first occurred 4.5 
seconds after the second stage’s first ignition, and the second, larger shock occurred 3.5 seconds 
after the second ignition, which was to inject the satellite into a transfer orbit. There was an 
increase in temperature around the engine, followed by a sudden decrease. This rapid thermal 
variation was believed to have been caused initially by hot gases escaping from a breach in the 
combustion chamber, followed by cold propellant flowing out from a ruptured cryogenic 
propellant line. The venting of the hot gases already in the chamber put the stage/spacecraft 
assembly into an uncontrollable tumble, during which the engine shut down. The satellite 
separated from the stage according to the preset programming. 


Analysis found a 67 square inch diamond-shaped breach of the engine's combustion chamber. 
The investigation found the breach at a seam that leaked during static firing and had been 
repaired. The flawed brazing left air pockets that allowed the joint to split. The repaired seam 
survived a dozen later tests and its first in-flight firing, prompting Pratt & Whitney to argue that 
there must have been some other unexpected torsional stress. Boeing disagreed. After this 
incident, seams were plated in place instead of brazed, and each unit placed into an oven and 
baked. Pratt & Whitney’s corrective actions included: 1) immediate ultrasonic inspection of 25 
existing RL10 engines to reveal bonding weaknesses and 2) use of a "slightly different 
technique" to braze combustion chamber reinforcing bands on new RL10s. 


In their previous 36-year-long history, the RL10s had never experienced a combustion chamber 
rupture. In this instance, however, the investigation determined that brazing coverage was "a 
factor of four" below design requirements. In some areas, the brazing was as low as 20% per 
linear inch. Drawings had called for a minimum of 80% coverage per linear inch, but product 
inspectors reinterpreted the standard to mean 80% coverage averaged over the entire length of 
the reinforcement strip. Since the offending brazing technique was a relatively recent 
innovation, many of the 25 existing engines tested out well — they had been built using the older 
technique [4] [28] [45]. 


Vehicle/Flight: Delta-IV Heavy 


Dake Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # | Stage Type | Manifestation Type | Demise 
Ae ae Benign Failure/ 
12/21/2004 | Liquid ib Liquid False Positive None 


This was the first (demonstration) launch of the Heavy variant of the Delta IV, carrying a 
DemoSat and a NanoSat2 (a set of two very small satellites). A main engine early shutdown was 
triggered by an empty tank signal from the fuel sensor during the first stage. Cavitation that 
initiated around the entrance to the propellant feed line is believed to be the cause of the failure. 
The vehicle was carrying two payloads, one of which was separated at a very low orbit and 
subsequently burned up in the atmosphere. The second payload was released at a lower orbit than 
anticipated, but achieved its primary flight objectives [7]. 
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As aresult of the early shutdown, the upper stage was left with a 1500 foot-per-second speed 
deficit and attempted to compensate. The upper stage had three planned burns over the 6-hour 
mission to geosynchronous orbit. The first burn of the upper stage was designed with propellant 
margin in case of any Common Core Booster shortfalls, and burned much longer than the 
planned 7-minute first burn, but still could not reach a stable orbit, releasing its payload too low. 
The second stage made its second burn and coasted for 5 hours before its final burn. The final 
(third) circularization burn was to last 3 minutes, but the stage shut down two-thirds of the way 
in, having spent all of its fuel. 


This same configuration worked without a problem in previous Delta IV incarnations. However, 
the acceleration profile, combined with the liquid levels and flow rate of the new mission, 
resulted in the cavitation phenomena. Cavitation margin adjustments were taken into 
consideration for subsequent fights, with throttling schedules and ullage pressurization 
management strategies [46]. 


Figure C-6. A Delta-IV Heavy rocket lifts off from Launch Complex 37. Credit: NASA 


Falcon 


Vehicle/Flight: Falcon-1 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
3/24/2006 | Liquid 1 Liquid LRE Uncontained __| Loss of Function 


At T+34s, the main engine shut down after a fire broke out just above the engine and damaged 
the first stage pneumatic helium system. The vehicle rolled and pitched over before falling back 
to the ground and landing onto a dead reef about 250 feet from the launch site. A kerosene fuel 
leak began at T-400s when the propellant pre-valves were opened; the fuel was ignited when the 
main engine started at liftoff. Over time, the fire resulted in a loss of pneumatic pressure, causing 
the RP-1 and liquid oxygen pre-valves to close, terminating engine thrust 34 seconds after 
ignition. 
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A corroded fuel line nut was determined to have been the cause of the failure. The nut actually 
broke sometime in the 18 hours prior to launch [47]. SpaceX implemented numerous changes to 
the rocket design and software to prevent this type of failure from recurring, including replacing 
aluminum hardware white stainless steel (which is less expensive, but heavier) and increasing 
pre-liftoff computer checks by a factor of thirty [48]. 


Vehicle/Flight: Falcon-1 


Date Vehicle Failed | Failed Initial Launch Vehicle 
Type Stage # | Stage Type | Manifestation Type | Demise 
3/21/2007 | Liquid 1 Staging Stee = OSS. aad 
control 


The interstage fairing on the top of the first stage contacted the second stage engine bell during 
staging due to a higher than expected rotation rate. The stages separated at a lower altitude than 
planned, causing high rotation rates due to aerodynamic forces that would have otherwise been 
negligible at the planned staging altitude. The fuel mixture ratios were slightly off-nominal as a 
result of an incorrect propellant utilization file that was loaded onto the engine computer, 
resulting in a lower first stage trajectory. At T+260s, a circular coning oscillation began and 
video was lost. At T+301s the vehicle started to roll and telemetry was lost. The second stage 
engine shut down at T+450s due to a roll control issue. The increased oscillation was the result 
of sloshing propellant in the LOX tank. The fuel in the second stage centrifuged, exposing fuel 
inlets, and caused the second stage engine to flame out at T+660s. Baffles were added to the 
second stage tanks in future flights to reduce possible sloshing. The Thrust Vector Control 
system in the second stage would have normally dampened the oscillation, but the bump to the 
second stage engine bell caused overcompensation in the correction [47]. 


Vehicle/Flight: Falcon-1 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
8/3/2008 | Liquid | 2 Seine, ome eeeeor Innes 
control 


This launch debuted the new Merlin 1C engine, meant to increase Falcon’s payload size and 
provide higher thrust. Stage separation went as intended, but residual fuel in the new engine 
evaporated and provided additional transient thrust. The first stage re-contacted the second stage 
and damaged the engine, resulting in the vehicle failing to reach orbit. 


This was the first flight with a new regeneratively cooled engine. A longer than expected thrust 
transient that occurred after engine shutdown caused the first stage to be pushed toward the 
second stage after separation. The gap between engine cutoff and staging was too short (1.5 s) 
for the new engine (it was fine for the ablatively cooled engine used prior to this flight). Testing 
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the new engine at sea level rather than at vacuum level masked the thrust transient and the need 
for a longer gap. During re-contact, the second stage firing of a (damaged) pressure-fed Kestrel 
engine burned the parachutes in the first stage. As a result, neither stage was recovered. 


Vehicle/Flight: Falcon 9 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
10/8/2012 | Liquid 1 Liquid LRE Uncontained None 


The vehicle performed nominally until T+80s when one of the nine Merlin 1C first stage engines 
shut off and appeared to expel debris. The vehicle continued on its trajectory with the other eight 
engines and the second stage burning slightly longer to make up for the loss of thrust. The 
primary payload, cargo for the first NASA Commercial Resupply Services mission, was inserted 
into orbit and completed its mission. However, due to the first stage engine anomaly, there was 
not enough fuel left to insert the secondary payload into its required orbit. The secondary 
payload reentered the atmosphere and broke up. 


An undetected material flaw in the engine chamber jacket, likely introduced during engine 
production, ultimately developed into a breach in the main combustion chamber during flight. 
This breach released a jet of hot gas and fuel in the direction of the main fuel line causing a 
secondary leak and ultimately a rapid drop in engine pressure and engine failure (either a 
shutdown or explosion) that did not propagate beyond the initiating engine but did cause the 
fairing that protects the engine from aerodynamic loads to rupture and fall away from the 
vehicle. As a result, the on-board guidance system successfully compensated for the loss of 
thrust by commanding longer burns using a modified flight profile. The remaining eight first 
stage engines burned 12-13 seconds longer and the second stage burned 15-16 seconds longer. 
Because the longer second stage burn consumed some of the reserve fuel required by ISS policy, 
delivery of the secondary payload, an Orbcomm communications satellite, to its proper orbit was 
not attempted. The secondary payload reentered Earth two days later [49] [50]. 


Vehicle/Flight: Falcon 9 


Dat Vehicle Failed Failed Initial Manifestation | Launch Vehicle 
on Type Stage # Stage Type | Type Demise 
6/28/2015 | Liquid 2 Liquid Hank Bursbo loss 8 leas cament 
vehicle 


The first stage of the launch vehicle operated nominally until T+139s when an overpressure 
event occurred in the upper stage LOX tank. The first stage of the vehicle continued to power 
through the overpressure event for several seconds before it disintegrated. The Dragon 
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spacecraft on board the launch vehicle survived and continued to communicate until it fell below 
the horizon. The time from first indication of trouble to loss of all data was 0.893 seconds. A 
steel strut holding a high-pressure helium tank was later discovered to have snapped during 
ascent under the combination of g-forces and cryogenic temperatures, ultimately leading to 
helium tank rupture within the LOX tank or impact with, and puncture of, the LOX tank wall. In 
either case, the LOX tank experienced an overpressure event and ruptured catastrophically. The 
helium tank is located inside the cryogenic oxygen tank for temperature regulation [51]. 


al . 


Figure C-7. A Falcon 9 launch vehicle lifts off from Cape Canaveral. Credit: NASA 


Pegasus 


Vehicle/Flight: Pegasus HAPS 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage# | Stage Type | Manifestation Type | Demise 
7/17/1991 | Combined | 2 Staging etngtie low None 
performance 


Pegasus suffered a stage separation malfunction between the first and second stage. The 
pyrotechnic separation system caused the vehicle to veer off course. At T+102.8s the second 
stage burn started in a nose-down attitude followed by incomplete payload fairing separation at 
T+214s. Course corrections during second and third stage burns allowed the vehicle to reach 
orbit, but the loss of velocity placed the satellites in a low orbit, cutting their lifespans down by 
2.5 years [4] [52]. 
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Vehicle/Flight: Pegasus HAPS 


Date Vehicle Failed Failed Initial Manifestation | Launch Vehicle 
Type Stage # Stage Type | Type Demise 
5/19/1994 | Combined | 4 Riguid Be nien sel uren alse | Nisne 
positive 


The HAPS liquid upper stage shut down about 25 seconds early due to a software navigation 
error, resulting in a lower-than-specified orbit. The payload was still able to provide useful data 


[4]. 


Vehicle/Flight: Pegasus-XL 


Dike Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
6/27/1994 | Solid 1 Solid Loss of control Loss of Function 


Several seconds after first-stage ignition, Pegasus veered off course and lost speed, prompting 
RSO to destroy it. The investigation revealed that the vehicle experienced an anomalous roll due 
to a ‘phantom yaw’ caused by an improper aerodynamics model used in the control system 


autopilot design [4] [28]. 


Vehicle/Flight: Pegasus-XL 


control 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
6/22/1995 | Solid 7) Staging SRE e ure OP lee muiction 


The second stage nozzle gimbal became constrained when the interstage ring between the first 
and second stages failed to separate. Control authority was greatly reduced and the vehicle began 
to tumble out of control during the second stage. After two and a half loops, the interstage was 
eventually shaken off and the second stage re-stabilized, but the IMU was overwhelmed and the 
vehicle veered off course, prompting range safety to destroy it [4] [28]. 
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Vehicle/Flight: Pegasus-XL 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
11/4/1996 | Solid 5 Staging pineibe Dane ~ li None 
fails to separate 


The launch vehicle reached the correct orbit but failed to separate from the payload. A rapid 
decrease in voltage from the transient battery prior to the payload separation pyro event resulted 
in the failure of the separation system. Investigators found that the shock of third-stage 
separation caused damage to a power bus at T+460s, leaving the stage without enough voltage to 
activate the pyrotechnic separation device [53]. 


Vehicle/Flight: Pegasus-XL 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
8/1/1997 | Solid 3 Solid Unknown None 


The payload was delivered to an orbit 98km lower than planned and required additional 
propulsive maneuvers to reach the desired orbit for operation [54]. 


Space Shuttle 


Vehicle/Flight: Space Shuttle (STS-51-F Challenger) 


Date Vehicle Failed Failed Initial Manifestation | Launch 
Type Stage # Stage Type | Type Vehicle Demise 
7/29/1985 | Combined | 1 Liquid Beton Halu Halsey | None 
Positive 


The number one main engine experienced a premature shut down at T+345s (the only in-flight 
main engine shutdown of the entire shuttle program) due to a faulty fuel turbine discharge 
temperature sensor. The crew was instructed to Abort to Orbit (ATO). Approximately 8 minutes 
into the flight, after the ATO order, one of the same temperature sensors in the right engine 
failed and the remaining sensor displayed values close to the redline, which would have 
prompted a second engine shutdown. The systems engineer commanded the crew to inhibit any 
further automatic engine shutdowns based on readings from the remaining sensors. STS-51-F 
completed the mission objectives at a much lower orbit than originally planned. This quick 
action prevented the loss of another engine and a possible abort scenario far riskier or far worse 
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than the already in-progress ATO [55]. 


Figure C-8. STS-51-F launches from Kennedy Space Center, Florida. Credit: NASA 


Vehicle/Flight: Space Shuttle (51-L Challenger) 


Dae Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
1/28/1986 | Combined | 0 Solid Case Breach Environment 


STS Challenger was launched at an ambient temperature of 38°F (3.3°C) instead of the minimum 
53°F (11.7°C) derived from the previous temperature experience of the STS program. The cold 
temperatures led to loss of resiliency in the motor case joint rubber O-rings. The combustion 
flame leaked through the O-rings and case joint, and impinged on the motor’s aft attach-struts 
and the external tank. Failure of the aft struts caused the aft end of the motor to move outward 
and forced the nose of the SRM into the upper portion of the external tank. 


Initially, many individuals believed the Challenger broke apart in a massive explosion of the 
propellants because of a large circular cloud seen at the bottom of the liquid oxygen tank area at 
73.282 seconds MET. The Explosion Working Group (EWG) assembled in the wake of both the 
Challenger and Titan 34D-9 accidents concluded, however, that no significant explosion was 
generated during the failure evolution. Analysis of the dynamics of the cloud that resulted from 
the disaster, and examination of the photography led the EWG to conclude that the percentage of 
hydrogen consumed in a rapid burn was between 6% and 19%. Experts from Marshall Space 
Flight Center concluded that the bright spot initially thought to be an explosion was in fact a 
result of reflected sunlight from liquid hydrogen and oxygen droplets spread by flash 
vaporization. These findings were supported by lack of evidence of exposure to intense heat, 
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e.g., melted aluminum, in any of the recovered debris, other than that caused by the exhaust of 
the errant right Solid Rocket Booster (SRB) exhaust. Finally, no evidence of significant shrapnel 
damage was observed on the External Tank (ET) or Orbiter surfaces. 


The EWG determined that the breakup of the ET primarily resulted from the errant, gyrating 
right SRB distorting the ET intertank area and tearing open both the liquid oxygen and liquid 
hydrogen tanks. The right SRB also contacted the Challenger spacecraft’s right wing, which, 
together with minor explosions in the intertank area, helped release the orbiter and expose it to 
the destructive aerodynamic forces that ultimately tore the vehicle apart. 


The EWG report also states that, based on photographic evidence, the IUS rocket booster for the 
TDRS-B exited the payload bay intact during the Challenger breakup. Other payloads in the bay 
could not be positively tracked in the photographic evidence; however, it is believed, based on 
examination of the recovered debris, that the major damage was sustained from impact with the 
water. It is also believed that the Challenger crew compartment was intact during the descent 
following the explosion but that the crew died on impact with the sea [28] [56]. 


Ultimately, the propagation of the failure was enabled by the proximity of critical structural, load 
bearing, and propellant containment components to the initial case breach, a failure that might 
have had relatively benign consequences within a different architecture. 


Figure C-9. A puff of black smoke is seen coming from the lower portion of the right SRB. 
Credit: NASA 
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Vehicle/Flight: Space Shuttle (STS-107 Columbia) 


Date 


Vehicle 
Type 


Failed 
Stage # 


Failed 
Stage Type 


Initial 
Manifestation Type 


Launch Vehicle 
Demise 


1/16/2003 


Combined 


Liquid 


Damage to Payload 


None (Orbiter 
reached intended 
orbit and 
destroyed during 
reentry) 


At T+81.7s one large piece and at least two smaller pieces of insulation foam separated from the 
External Tank (ET) left bipod ramp. At T+81.9s the larger piece struck the underside of the left 
wing, striking between Reinforced Carbon Carbon (RCC) panels 5 through 9. The larger piece of 
foam was determined to be 21 to 27 inches long and 12 to 18 inches wide. It was moving at a 
relative velocity to the Shuttle of 625 to 840 feet per second at the time of impact. The impact 
was of sufficient force to crack the RCC that provided the thermal protective barrier to the internal 
wing structure. On entry, the extreme temperatures generated in the vehicle flow-field were thus 
able to penetrate to the internal wing structure, causing structural failure, loss of control, and 
complete vehicle breakup [57]. 


Debris 


Shower of particles 
below {-Z) of LH wing 
after debris struck 
wing 


Figure C-10. Columbia debris particles and wing strike. Credit: NASA 
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Super Strypi 


Vehicle/Flight: SPARK 


Duis Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
11/3/2015 | Solid 1 Solid Unknown Environment 


This launch vehicle was designed to carry small satellites to a sun-synchronous orbit and serve as 
a relatively inexpensive, easy-to-operate satellite launcher. The first and only launch of the 
vehicle was experimental and meant to test the rocket at its full payload capacity. It carried many 
cubesats and a small imaging satellite (HiakaSat), but broke up due to tumbling shortly after lift- 
off. Air Force officials admitted they accepted “elevated risk” over concerns that hot gas inside 
the LEO-46 first stage motor could burn through insulation lining the composite casing. 
However, the root cause of the failure has yet to be released [58] [59]. 


Taurus 


Vehicle/Flight: Taurus-2210 


Date Vehicle | Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
Vehicle over- 
2/10/1998 | Solid Unknown Solid performance - Off- | None 
nominal ascent 


The payload was delivered 91km higher than planned, and despite the error, mission objectives 
were met [4]. 


Vehicle/Flight: Taurus-2110 


Date Vehicle Failed Failed Stage | Initial Launch Vehicle 
Type Stage # Type Manifestation Type | Demise 
9/21/2001 | Solid 2 Solid Loss of control None 


At T+83s the second stage Orion 50S ignited but the driveshaft of the actuator for the thrust- 
vectoring system seized for about 5 seconds, causing the vehicle to veer off course. The Taurus 
suddenly turned to the left and then right, with gyrations continuing for several seconds before 
the rocket appeared to regain control. The system recovered and continued its launch profile, but 
because of a velocity shortfall, the vehicle did not reach a sufficient orbit and reentered the 
atmosphere over the Indian Ocean [60]. 
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Vehicle/Flight: Taurus XL 3110 


Dak Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
2/24/2009 | Solid 3 Staging eines COW None 
performance 


The launch vehicle performed as planned until 7 seconds after the second stage burn (note: 
Taurus vehicle stages are numbered starting with zero to remain consistent with Pegasus upper 
stage numbering, but because we use “zero” to denote strap-on boosters, the failed stage listed 
here is “3” rather than “2”), when the command for payload fairing separation was sent. The 
fairing separation indicators showed no change, prompting the ground team to rapidly assess the 
situation. The payload had separated from the upper stage, but was still encased within the 
payload fairing. The mission was lost and the payload reentered the atmosphere, breaking up 
over the Pacific Ocean near Antarctica. 


This was the first of two consecutive payload separation failures by the Taurus XL, the second of 
which occurred on T9 carrying the Glory spacecraft in 2011. Both failures resulted in payload 
reentry. 


The executive summary on the NASA website cites 4 possible causes of the fairing separation 
failure: a frangible joint subsystem failure that failed to provide separation, an electrical 
subsystem failure that did not provide current needed to initiate the explosives, a pneumatic 
system failure that did not supply enough pressure to separate the fairing, or a snagged cord on a 
frangible join side rail nut [61]. Full details of the report were not disclosed for proprietary 
reasons. The executive summary states that whereas the Mishap Investigation Board (MIB) was 
unable to determine which component or subcomponent was the direct cause for the fairing not 
to separate, the snagged cord was a remote possibility. Rather than suppress the report until 
further testing was complete, the MIB opted to release the report with these intermediate 
findings. 


Space News reported that the cause was a faulty pressure initiator in a gas-generator component. 
In the report, the COO of Orbital was quoted to have said that their investigation concluded that 
failure was a faulty pressure initiator and the defective fairing-separation system was “a supplier 
issue and dealt with some lot-acceptance testing of the pressure initiator.” He referred to “lower 
shock margins in these lot-acceptance tests” for the pressure initiators as being partly to blame, 
and said the initiator design would be modified [62] [63]. 
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Vehicle/Flight: Taurus XL 3110 


Date Vehicle Failed Failed Stage | Initial Launch Vehicle 
Type Stage # Type Manifestation Type | Demise 
3/4/2011 | Solid 3 Staging mimes — PON None 
performance 


Similar to the Taurus XL failure in 2009 (T8), this launch vehicle (T9) also performed nominally 
until just after the second stage ignition burn (note: Taurus vehicle stages are numbered starting 
with zero to remain consistent with Pegasus upper stage numbering, but because we use “zero” 
to denote strap-on boosters, the failed stage listed here is “3” rather than “2”). Payload fairing 
separation was scheduled for 176.98 seconds after liftoff. Telemetry indicated that the 
subsequent stage 2 burn and separation, stage 3 ignition and burn, and spacecraft separation all 
occurred as planned. However, the payload fairing remained partially attached and the payload 
was not able to reach a stable orbit. It reentered the atmosphere and likely broke and/or burned 
up because of reentry loads and aerodynamic heating. 


Although both missions involved payload fairing separation failures, with both payloads 
reentering, the root causes appear to be associated with different components. In the previous 
failure, a faulty pressure initiator was to blame. Here, the frangible joint did not fracture 
completely when detonated. 


As aresult of the T8 accident, an extra pressure sensor was added to the cold gas pressurization 
system in place of the hot gas generator system. This sensor ultimately provided valuable data to 
the T9 MIB. The sensor data verified that the cold gas pressurization system performance was 
satisfactory and that the T9 payload fairing’s base ring indeed had separated. As a result, the T9 
MIB could eliminate the cold gas pressurization system and the base ring as root causes and 
focus on the scenario in which the forward end of the payload fairing side rail failed to fracture. 


In the end, a root cause could not be definitively established, due mostly to lack of flight data and 
hardware to examine (it all burned up on reentry), but also due to sparse reporting of changes and 
testing during vehicle and trajectory redesign: the evolution of the base ring since its 
development for the Pegasus vehicle was insufficiently documented. For the frangible joint, the 
investigation board recommended improved system manufacturing process controls, a detailed 
design failure analysis, and a qualification and test activity [64]. 


Thor 


Vehicle/Flight: Thor-LV2F Star-37XE Star-37S-ISS 


Date Vehicle Failed Failed Initial Launch 
Type Stage # Stage Type | Manifestation Type | Vehicle Demise 
7/14/1980 | Combined | 3 Staging Slaeine 2108801 None 
control 
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The last Thor Burner 2A mission status was nominal through its second stage burn when 
telemetry was lost. The wiring harness between the second and third stages was misaligned and 
did not disconnect as intended. When the Star 37S-ISS third stage ignited its engine, its wiring 
harness catastrophically displaced, causing short circuits that disabled the flight control system. 
The stage pitched down and failed to achieve orbit [65]. 


Titan 


Vehicle/Flight: Titan-34D 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
8/28/1985 | Combined 1 Liquid Lessor Con ou Loss of Function 
(asymmetric thrust) 


During the first stage burn, engine 1 began experiencing low performance at T+102s. At T+117s, 
after SRM jettison, engine | shut down completely. Because both engines were needed to 
maintain a controlled flight, the vehicle lost attitude control and began tumbling. The on-board 
computer shut down engine 2 and began premature separation and ignition of stage 2. The 
vehicle tumbled and was destroyed by range safety at T+272s. 


An oxidizer leak in the first stage caused a turbopump failure when the pump’s pinion gear broke 
due to the loss of cooling or lubrication. This caused a premature engine shutdown in one of the 
two main core stage engines [66]. 


Vehicle/Flight: Titan 34D (34D-9) 


Dab Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
4/18/1986 | Combined | 0 Solid Case Burst Environment 


The solid rocket motor case insulation in SRM-2 de-bonded during ignition. This led to burn- 
through of the case at the butt-joint between segments | and 2. At 8.5 seconds into the flight, a 
12-ft diameter ball of fire erupted from the side of SRM-2. At 8.7 seconds, the SRM exploded, 
and the vehicle and its payload were automatically destroyed 800 feet above the launch pad at 
Vandenberg AFB. Debris was scattered, causing major damage to the launch complex. The other 
SRM (SRM-1 on the west side of stack) was destroyed by the Inadvertent Separation Destruct 
System (ISDS) approximately 0.3 seconds after the SRM-2 initial burn through. Engine 
shutdown was commanded at T+15.5s, followed by a self-destruct command at T+16.3s. The 
vehicle impacted the ground at T+28.4s [67]. 
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Reconstruction of recovered fragments from both SRMs indicated a case burst of the lower 
segments of SRM-2 followed by a tearing open of the upper segments. Discussion in the 
“Propellant Explosive Hazards Study Volume II” report by E. J. Tomei notes that “Using 0.5 psi 
as damage threshold, the explosive yield from the liquid propellant only can be enveloped at no 
greater than 4.7% TNT (surface burst) or 3% TNT (air burst) [68]”. 


Vehicle/Flight: Titan 34D Transtage 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
9/2/1988 | Combined | 3 Liquid Brope nant leas lene 
low performance 


When the Transtage reached geosynchronous transfer orbit and attempted its circularization 
burn, its engine misfired. Hydrazine and helium leaks damaged the Transtage, which apparently 
lost pressure through a small hole in the fuel tank feed system. The hole was believed to be the 
result of repair activities during prelaunch or from shrapnel impact during payload fairing 
release. The investigators concluded that there had been enough pressure for the Transtage's first 
burn, but not enough pressure for its second burn. The Chalet- Vortex electronic intelligence- 
gathering satellite was stranded in transfer orbit [32]. 


Vehicle/Flight: Commercial Titan 3 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
i : Staging — payload 
3/14/1990 | Combined | 5 Staging failed to Separate None 


The Intelsat 603 became stranded in a low orbit when it failed to separate from the Titan second 
stage. In order to keep the satellite from falling back into the atmosphere, it was ordered to 
separate from the Orbus perigee kick motor and use its own thrusters to achieve a slightly higher 
orbit. The Titan launch vehicle had been wired in a configuration meant for two payloads. 
Because the vehicle was only carrying one payload, it did not separate when the signal to fire the 
pyro-cable was sent to the wrong system. The Space Shuttle (STS-49) later rescued the satellite 
in May of 1992 [7] [69]. 
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Vehicle/Flight: Titan IV (K-11) 


Dis Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
8/2/1993 | Combined | 0 Solid Case Burst Environment 


During the SRM’s burn, video imagery showed that a light colored ring enveloped and quickly 
expanded from the Titan IV K-11 vehicle. The puff of the doughnut-shaped ring was immediately 
followed by an explosion of one of the SRMs T+101.2 seconds into the flight, while the vehicle 
was beginning to pitch over to a more horizontal attitude and accelerate downrange to place its 
payload in a polar orbit. After the explosion occurred, Range Safety issued destruct commands at 
90 miles (145 km) downrange and an altitude of 110,000 feet (33,528 m). The designed nominal 
burn time of the SRM is 127 seconds. 


The propellant in one of the Titan IVA-11 solid rocket segments was cut approximately 0.25 in. 
(0.625 cm) deep and extended 34 in. (86.36 cm) in the radial direction from the bore during 
repair of a damaged restrictor. The repair was more extensive than had ever been attempted on 
such a motor segment. At motor ignition, the face of the cut was pressurized and open, allowing 
the flame to propagate along the cut insulation, ultimately leading to the motor case burn-through 
at 101.2 seconds [70]. 


Vehicle/Flight: Titan-401A Centaur-T 


Die Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
8/12/1998 | Combined | 2 Liquid Loss of control Loss of Function 


At T+40s the launch vehicle pitched over and was subsequently destroyed by aerodynamic 
forces and range safety. When the course of the rocket deviated to an angle of attack 
approximately 11 to 13 degrees from its planned path, aerodynamic stresses on the vehicle 
exceeded its structural design and the SRM separated from the core booster, initiating the 
Inadvertent Separation Destruct System. At T+45.529s, approximately 3 seconds after the 
automatic destruct sequence, Mission Flight Control Officers sent command destruct signals to 


the vehicle. 


Intermittent power shorts from a damaged wire in the second stage wiring harness caused the 
inertial guidance unit to lose its reference attitude and begin generating improper steering 
commands. The Accident Investigation Board concluded that pre-launch wire insulation damage 
existed in the Vehicle Power Supply somewhere in Stage II, which left at least one powered 
conductor with exposed wire that was not detected during the pre-launch inspections and tests. 
This particular Titan vehicle was noted to have 44 wiring defects with shorting potential 
recorded over its lifetime [71] . 
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Vehicle/Flight: Titan IV B Centaur 


Dit Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
4/30/1999 | Combined __| 3 Liquid Loss of control None 


This Titan IV B launch vehicle was equipped with a Centaur upper stage intended to deliver a 
Milstar satellite into geosynchronous orbit. After the Centaur separated from the Titan IV B, the 
vehicle began to experience anomalous rolls. The reaction control system eventually stabilized 
the vehicle during the transfer orbit coast phase, but used 85% of its hydrazine fuel in the 
process. When the vehicle attempted its second burn, it became unstable again and continued 
into its third burn tumbling. The vehicle did not reach its intended velocity or orbit. The Milstar 
satellite was permanently shut down 10 days later and declared dead in orbit. 


Failed software development, testing, and quality assurance was ultimately the cause of the 
failure. During development of the Centaur computer software, a decimal point was misplaced 
while manually entering the roll rate filter constant in the Inertial Measurement System flight 
software file. This error was detected pre-flight but was not properly recognized or understood. 
Although it was not needed, the software had been kept in for “consistency” [28] [72]. 


Zenit 


Vehicle/Flight: Zenit-3SL 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
3/12/2000 | Liquid 2 Liquid Loss of control Loss of Function 


Sea Launch’s first failure occurred after the Zenit-3SL’s second stage shut down 80 seconds 
early into its planned 6.5-minute burn. A software error contributed to an improperly set control 
pressure valve that caused the second stage to lose control. The rocket’s control system 
automatically shut down the engine at T+450s when it lost control, and the vehicle fell into the 
ocean. The ICO F-1 communications satellite was lost. 


It is believed that a software error on the ground failed to command a pressure valve to close in a 
pneumatic system that performed several functions, including vectoring the engine. Telemetry 
showed that this system lost 60% of its pressure, leading to a significant deviation in altitude, 
triggering the self-destruct system [28]. 
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Vehicle/Flight: Zenit-3SL 


Pile Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
6/29/2004 | Liquid > Liquid Low performance None 


Zenit’s 14" flight ended in failure when the DMSL stage shut down 54 seconds early due to a 
loose wiring connection. The payload was left in a much lower orbit than planned, but was able 
to use its own propulsion system to reach geosynchronous orbit. 


A wiring problem on the Block-DM upper stage caused an electrical short that distorted 
propellant flow rate data to the engine control system. The engine mistakenly used more fuel 
than planned, depleting the fuel tank 54 seconds too early during its second burn and releasing its 
payload short of its target, stranding it in a transfer orbit with an apogee 14,000 km short of its 
geosynchronous altitude. The satellite had enough onboard propellant to mitigate the error and 
reach its proper position without shortening its lifespan [28]. 


Vehicle/Flight: Zenit-3SL 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
1/30/2007 | Liquid 1 Liquid LRE Uncontained __| Loss of Function 


The RD-171 engine of the first stage had just ignited, followed by a tilt of the rocket and then 
immediately followed with a fireball and explosion on the launch pad. The investigation revealed 
that there had been disruption in the first stage main engine liquid oxygen pump, caused by a 
stray metal particle entering it due to a manufacturing fault. The metallic object became lodged 
between the pump's moving and stationary components, ignited, and burned as a result of friction- 
induced heat. This caused a loss of oxidizer pressurization and the main engine thrust to rapidly 
drop 3.9 seconds after ignition, with the rocket only about 0.1m off the pad. The rocket fell back 
onto the pad and exploded [73]. 


The Zenit contained 400,000 kg of liquid propellant (RP-1 + LOX). Long-range video of the 
explosion did not give indication of detonation explosion, and the relative lack of damage to the 
pad would seem to support that conclusion. The pad was in fact damaged but repairable—the 
flame deflector was blown off, and the blast doors unhinged. 
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Vehicle/Flight: Zenit-3SL 


Date Vehicle Failed Failed Initial Launch Vehicle 
Type Stage # Stage Type | Manifestation Type | Demise 
2/1/2013 | Liquid 1 Liquid Loss of control Loss of Function 


About 40 seconds into the flight, the vehicle’s on-board computer detected that the vehicle was 
veering off course, prompting an emergency engine shutdown. The vehicle began to fall back 
down to the Earth, crashing into the Pacific Ocean just a few miles from the launch platform 
[74]. A BIM (Bortovoi Istochnik Moshnosti - Onboard Power Source) hydraulic pump failed just 
before liftoff, causing the loss of engine gimballing capability. The BIM system failure was due 
to a defect in the pump that escaped detection during hardware review. The flight control system 
and engines were functioning properly. A summary of the sequence of events [75]: 


e Monitoring data shows pump turbine quickly slowed down its rotation and then 
completely stopped. The BIM hydraulic pump failed 4.5 sec after engines were ready 
(~0.5 sec before liftoff). Engine gimballing function was lost. 

e Planned pitch maneuvers were not performed, and around T+16 sec, the vehicle exceeded 
the allowable limit of 30 degrees for deviation in its rolling motion (its pitch and course 
at that moment had not yet exceeded the allowable 15 degrees). 

e Safety algorithm issued a commanded engine shutdown as a result of the violation, but 
vehicle thrust termination was delayed until time exceeded T+20 sec for safety reasons. 

e Vehicle crashes into the ocean T+56 sec. 


The BIM hydraulic system’s turbopump is driven initially by high-pressure helium (started 10 
sec before liftoff) and then switched over to kerosene by the main engine. The turbopump of the 
BIM can be tested with helium, but not with kerosene (which requires the main engine to be 
firing to operational thrust levels). As a result, full testing of the BIM unit was not possible. 
Corrective actions did not involve hardware changes, only increased testing and manufacturing 
process changes. 
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